CVE-2025-10210 – This CVE describes a SQL injection vulnerabilit... (How to Fix)

Q: What is the severity of CVE-2025-10210?

CVE-2025-10210 has a CVSS score of 6.3 (MEDIUM). This CVE describes a SQL injection vulnerability in ChanCMS up to version 3.3.0, specifically in the Search function's key parameter. Attackers can remotely exploit this to execute arbitrary SQL commands on the database. All users running vulnerable versions of ChanCMS are affected.

📋 TL;DR

This CVE describes a SQL injection vulnerability in ChanCMS up to version 3.3.0, specifically in the Search function's key parameter. Attackers can remotely exploit this to execute arbitrary SQL commands on the database. All users running vulnerable versions of ChanCMS are affected.

💻 Affected Systems

Products:

yanyutao0402 ChanCMS

Versions: Up to and including 3.3.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with the vulnerable Search function are affected regardless of configuration.

📦 What is this software?

Chancms by Chancms

View all CVEs affecting Chancms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, modification, or deletion, and potential server takeover via SQL injection leading to remote code execution.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information, and potential privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Proof of concept is publicly available but requires some technical knowledge to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Consider applying community fixes or migrating to alternative software.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation and parameterized queries for the Search function's key parameter.

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block exploitation attempts.

🧯 If You Can't Patch

Disable or restrict access to the vulnerable Search API endpoint
Implement network segmentation to isolate the ChanCMS instance from sensitive systems

🔍 How to Verify

Check if Vulnerable:

Check if running ChanCMS version 3.3.0 or earlier by examining the application version in admin panel or source code.

Check Version:

Check application configuration files or admin interface for version information.

Verify Fix Applied:

Test the Search function with SQL injection payloads to confirm they are properly sanitized or blocked.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in application logs
Multiple failed search attempts with special characters
Database error messages containing SQL syntax

Network Indicators:

HTTP requests to /api/search with SQL injection patterns in parameters
Unusual database connection patterns from application server

SIEM Query:

source="app_logs" AND ("SQL syntax" OR "unexpected token" OR "Search key=")

📊 Metadata

CVE ID: CVE-2025-10210

CVSS v3 Score: 6.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CWE: CWE-74

EPSS Score: 0.52% exploit probability (66.3th percentile)

Published: September 10, 2025

Last Updated: September 15, 2025

🔗 References

https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e5.md Broken Link
https://github.com/August829/Yu/blob/main/58ead8e7e08bfb0e5.md#poc Broken Link
https://vuldb.com/?ctiid.323483 Permissions Required,VDB Entry
https://vuldb.com/?id.323483 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.639777 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10210, you might also want to check these: