Login Sign Up

CVE-2025-15492

6.3 MEDIUM
SQL Injection

📋 TL;DR

This CVE describes a SQL injection vulnerability in RainyGao DocSys up to version 2.02.36. Attackers can remotely exploit this by manipulating the searchWord parameter in GroupMemberMapper.xml, potentially accessing or modifying database content. Organizations using vulnerable versions of this document management system are affected.

💻 Affected Systems

Products:
  • RainyGao DocSys
Versions: Up to and including 2.02.36
Operating Systems: Any OS running DocSys
Default Config Vulnerable: ⚠️ Yes
Notes: All deployments using vulnerable versions are affected regardless of configuration.

📦 What is this software?

Docsys by Docsys Project

View all CVEs affecting Docsys →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, privilege escalation, and potential server takeover via subsequent attacks.

🟠

Likely Case

Unauthorized data access, extraction of sensitive document metadata and user information, and potential data corruption.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting the attack surface.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in GitHub repository, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Consider upgrading to any version above 2.02.36 if released, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement strict input validation for searchWord parameter to reject SQL special characters

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns in searchWord parameter

🧯 If You Can't Patch

  • Isolate DocSys instance behind network segmentation with strict access controls
  • Implement database-level protections: minimal privileges, query logging, and regular audit trails

🔍 How to Verify

Check if Vulnerable:

Check DocSys version in admin interface or configuration files. If version ≤ 2.02.36, system is vulnerable.

Check Version:

Check web interface or configuration files for version information

Verify Fix Applied:

Test search functionality with SQL injection payloads (e.g., ' OR '1'='1) and verify they are rejected or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual database queries from DocSys application
  • SQL syntax errors in application logs
  • Multiple failed login attempts via search functionality

Network Indicators:

  • HTTP requests with SQL keywords in searchWord parameter
  • Unusual database connection patterns from application server

SIEM Query:

source="DocSys" AND (searchWord CONTAINS "UNION" OR searchWord CONTAINS "SELECT" OR searchWord CONTAINS "OR '1'='1")

📊 Metadata

CVE ID: CVE-2025-15492
CVSS v3 Score: 6.3 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-74
EPSS Score: 0.03% exploit probability (9th percentile)
Published: January 9, 2026
Last Updated: January 22, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-15492, you might also want to check these:

CVE-2026-25520 10.0

SandboxJS versions before 0.8.29 have a critical sandbox escape vulnerability that allows attackers ...

Same vulnerability type (CWE-74)
CVE-2026-25586 10.0

This CVE describes a sandbox escape vulnerability in SandboxJS library versions before 0.8.29. Attac...

Same vulnerability type (CWE-74)
CVE-2025-20281 10.0

An unauthenticated remote code execution vulnerability in Cisco ISE and ISE-PIC API allows attackers...

Same vulnerability type (CWE-74)