CVE-2025-41370
📋 TL;DR
A SQL injection vulnerability in Gandia Integra Total of TESI allows authenticated attackers to manipulate database operations through the 'idestudio' parameter. This affects versions 2.1.2217.3 through 4.4.2236.1, enabling data theft, modification, or deletion.
💻 Affected Systems
- Gandia Integra Total of TESI
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including sensitive data exfiltration, privilege escalation, and system takeover.
Likely Case
Unauthorized data access and manipulation by authenticated malicious users or compromised accounts.
If Mitigated
Limited impact with proper input validation, parameterized queries, and least privilege database accounts.
🎯 Exploit Status
SQL injection via parameter manipulation is well-understood; exploitation requires authenticated access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.4.2236.1
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-gandia-integra-total-tesi
Restart Required: Yes
Instructions:
1. Check current version. 2. Upgrade to latest version beyond 4.4.2236.1. 3. Restart application services. 4. Verify fix.
🔧 Temporary Workarounds
Input Validation Filter
allImplement server-side validation to sanitize 'idestudio' parameter values.
Modify /encuestas/integraweb/html/view/acceso.php to validate 'idestudio' as integer using is_numeric() or similar.
Web Application Firewall (WAF)
allDeploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.
Configure WAF to detect and block SQL injection attempts on /encuestas/integraweb/html/view/acceso.php.
🧯 If You Can't Patch
- Restrict access to the vulnerable endpoint using network ACLs or authentication controls.
- Implement database-level controls: use least privilege accounts, enable auditing, and monitor for suspicious queries.
🔍 How to Verify
Check if Vulnerable:
Test the 'idestudio' parameter in /encuestas/integraweb/html/view/acceso.php with SQL injection payloads (e.g., ' OR '1'='1).Check Version:
Check software version in admin interface or configuration files.Verify Fix Applied:
After patching, retest with SQL injection payloads; ensure no database manipulation occurs.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL queries in database logs
- Multiple failed login attempts followed by parameter manipulation
Network Indicators:
- HTTP requests to /encuestas/integraweb/html/view/acceso.php with SQL keywords in parameters
SIEM Query:
source="web_logs" AND uri="/encuestas/integraweb/html/view/acceso.php" AND (param="idestudio" AND value CONTAINS "' OR" OR value CONTAINS "UNION" OR value CONTAINS "SELECT")