Full Report
CERT Polska has received a report about 2 vulnerabilities (CVE-2025-12462 and CVE-2025-14532) found in DobryCMS software.
Analysis Summary
# Vulnerability: Multiple Vulnerabilities in DobryCMS
## CVE Details
- **CVE ID:** CVE-2025-12462
- **CVSS Score:** Not explicitly provided (Estimated: High/Critical)
- **CWE:** CWE-89 (Improper Neutralization of Special Elements used in an SQL Command - 'SQL Injection')
- **CVE ID:** CVE-2025-14532
- **CVSS Score:** Not explicitly provided (Estimated: Critical due to RCE)
- **CWE:** CWE-434 (Unrestricted Upload of File with Dangerous Type)
## Affected Systems
- **Products:** DobryCMS (developed by Studio Fabryka)
- **Versions:**
- **CVE-2025-12462:** Versions up to 8.0
- **CVE-2025-14532:** Versions 1.x, 2.x, and 5.0
- **Configurations:** Standard installations with public-facing interfaces.
## Vulnerability Description
**CVE-2025-12462:** A Blind SQL Injection flaw exists within the URL path processing logic. Because the application fails to properly neutralize special elements used in SQL commands, a remote unauthenticated attacker can inject malicious SQL syntax directly into the URL. This allows for the exfiltration of sensitive data from the database through inference (boolean-based or time-based techniques).
**CVE-2025-14532:** The file upload functionality lacks adequate restrictions on file types and extensions. A remote unauthenticated attacker can upload arbitrary files (e.g., PHP scripts or executables) to the server. If these files are accessible via the web root, they can be executed by the server, leading to full Remote Code Execution (RCE).
## Exploitation
- **Status:** Reported via CVD (Coordinated Vulnerability Disclosure); PoC availability not publicly confirmed in the article, but technical details suggest high exploitability.
- **Complexity:** Low
- **Attack Vector:** Network (Remote)
## Impact
- **Confidentiality:** High (Full database access and potential server takeover)
- **Integrity:** High (Ability to modify database content or server files)
- **Availability:** High (Potential for site defacement or deletion of data)
## Remediation
### Patches
The vendor, Studio Fabryka, has released updates to address these flaws:
- **For SQL Injection (CVE-2025-12462):** Update to versions **above 8.0**.
- **For Unrestricted File Upload (CVE-2025-14532):** Update to versions **above 5.0**.
### Workarounds
- Implement a Web Application Firewall (WAF) with rules to block common SQL injection patterns in URL paths.
- Restrict file upload directories to prevent the execution of scripts (e.g., set `AllowOverride None` and `RemoveHandler` in Apache, or disable execute permissions on upload folders).
## Detection
- **Indicators of Compromise:** Unusual files (scripts) in the media or upload directories; server logs showing repetitive, structured URL requests typical of Blind SQL Injection (e.g., `AND SELECT`, `SLEEP()`, or automated tools like sqlmap).
- **Detection methods:** Review web server access logs for anomalous URL patterns and monitor for any newly created files in application upload directories.
## References
- CERT Polska Advisory: hxxps[://]cert[.]pl/en/posts/2026/03/vulnerabilities-in-dobrycms-software/
- CVE-2025-12462: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2025-12462
- CVE-2025-14532: hxxps[://]www[.]cve[.]org/CVERecord?id=CVE-2025-14532