CVE-2025-10122 – This SQL injection vulnerability in Maccms10 al... (How to Fix)

Q: What is the severity of CVE-2025-10122?

CVE-2025-10122 has a CVSS score of 4.7 (MEDIUM). This SQL injection vulnerability in Maccms10 allows attackers to manipulate database queries through the 'where' parameter in the 'rep' function. Attackers can potentially read, modify, or delete database content. All users running the affected Maccms10 version are vulnerable to remote exploitation.

📋 TL;DR

This SQL injection vulnerability in Maccms10 allows attackers to manipulate database queries through the 'where' parameter in the 'rep' function. Attackers can potentially read, modify, or delete database content. All users running the affected Maccms10 version are vulnerable to remote exploitation.

💻 Affected Systems

Products:

Maccms10

Versions: 2025.1000.4050

Operating Systems: All platforms running Maccms10

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation. Requires admin panel access for exploitation.

📦 What is this software?

Maccms by Maccms

View all CVEs affecting Maccms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, data exfiltration, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions in place.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit details are publicly available. Requires authentication to admin panel.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Check vendor for updated version

Vendor Advisory: Not provided in references

Restart Required: No

Instructions:

1. Check Maccms10 official website for security updates. 2. Apply the latest patch. 3. Verify the Database.php file has been updated.

🔧 Temporary Workarounds

Input Validation Workaround

all

Add parameter validation to the 'where' parameter in Database.php

Modify application/admin/controller/Database.php to validate/sanitize the 'where' parameter

Database Permission Restriction

database

Limit database user permissions to read-only where possible

ALTER USER 'maccms_user'@'localhost' WITH GRANT OPTION;
REVOKE DROP, CREATE, ALTER ON maccms_db.* FROM 'maccms_user'@'localhost';

🧯 If You Can't Patch

Implement web application firewall (WAF) with SQL injection rules
Restrict admin panel access to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if your Maccms10 version is 2025.1000.4050 and review Database.php for vulnerable 'rep' function

Check Version:

Check Maccms10 admin panel or config files for version information

Verify Fix Applied:

Test the 'rep' function with SQL injection payloads to ensure they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual database queries from admin panel
Multiple failed SQL injection attempts in logs

Network Indicators:

SQL syntax in HTTP POST parameters to Database.php
Unusual database connection patterns

SIEM Query:

source="web_logs" AND (uri="/admin/Database/rep" AND (param="where" CONTAINS "UNION" OR param="where" CONTAINS "SELECT"))

📊 Metadata

CVE ID: CVE-2025-10122

CVSS v3 Score: 4.7 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.02% exploit probability (3.4th percentile)

Published: September 9, 2025

Last Updated: October 8, 2025

🔗 References

https://github.com/August829/Yu/blob/main/58ead8e7e08bfb016.md Broken Link
https://vuldb.com/?ctiid.323092 Permissions Required,VDB Entry
https://vuldb.com/?id.323092 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.645702 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10122, you might also want to check these: