CVE-2025-34038

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

SQL injection vulnerability exists in Weaver e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

References

Link	Resource
https://vulncheck.com/advisories/fanwei-ecology-sql-injection	Exploit Third Party Advisory
https://weaver.com.co/products/ecology/
https://www.cnblogs.com/0day-li/p/14637680.html	Exploit
https://www.cnvd.org.cn/flaw/show/CNVD-2021-33202	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:weaver:e-cology:*:*:*:*:*:*:*:*

History

27 Jan 2026, 21:15

Type	Values Removed	Values Added
Summary	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.	(en) A SQL injection vulnerability exists in Weaver e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
References	~~{'url': 'https://www.weaver.com.cn/', 'tags': ['Product'], 'source': '[email protected]'}~~	() https://weaver.com.co/products/ecology/ -

20 Nov 2025, 22:15

Type	Values Removed	Values Added
Summary	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-07-13 UTC.	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.

17 Nov 2025, 22:15

Type	Values Removed	Values Added
Summary	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes.	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-07-13 UTC.

23 Sep 2025, 19:26

Type	Values Removed	Values Added
CPE		cpe:2.3:a:weaver:e-cology::::::::
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5
References	~~() https://vulncheck.com/advisories/fanwei-ecology-sql-injection -~~	() https://vulncheck.com/advisories/fanwei-ecology-sql-injection - Exploit, Third Party Advisory
References	~~() https://www.cnblogs.com/0day-li/p/14637680.html -~~	() https://www.cnblogs.com/0day-li/p/14637680.html - Exploit
References	~~() https://www.cnvd.org.cn/flaw/show/CNVD-2021-33202 -~~	() https://www.cnvd.org.cn/flaw/show/CNVD-2021-33202 - Third Party Advisory
References	~~() https://www.weaver.com.cn/ -~~	() https://www.weaver.com.cn/ - Product
First Time		Weaver e-cology Weaver

26 Jun 2025, 18:58

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de inyección SQL en Fanwei e-cology 8.0 a través del endpoint getdata.jsp. La aplicación pasa directamente la entrada de usuario no saneada del parámetro sql a una consulta de base de datos dentro del método getSelectAllIds(sql, type), accesible mediante el flujo de trabajo cmd=getSelectAllId en AjaxManager. Esto permite a atacantes no autenticados ejecutar consultas SQL arbitrarias, lo que podría exponer datos confidenciales, como hashes de contraseñas de administrador.

24 Jun 2025, 03:15

Type	Values Removed	Values Added
Summary	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 and prior via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes.	(en) A SQL injection vulnerability exists in Fanwei e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes.
References	~~{'url': 'https://vulncheck.com/advisories/fanwei-e-cology-sql-injection', 'source': '[email protected]'}~~	() https://vulncheck.com/advisories/fanwei-ecology-sql-injection -

24 Jun 2025, 02:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-24 02:15

Updated : 2026-01-27 21:15

NVD link : CVE-2025-34038

Mitre link : CVE-2025-34038

CVE.ORG link : CVE-2025-34038

JSON object : View

Products Affected

weaver

e-cology

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

7.5 /10