Description

diskover-web v2.3.0 Community Edition is vulnerable to multiple boolean-based blind SQL injection flaws in its Elasticsearch configuration form. Unsanitized user input in POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE and others can be crafted to inject arbitrary SQLite expressions wrapped in JSON functions. By exploiting these injection points, an attacker can infer or extract sensitive information from the underlying database without authentication. This issue stems from improper input validation and parameterization in the application's JSON-based query construction.

INFO

Published Date :

2025-08-27T00:00:00.000Z

Last Modified :

2025-08-27T19:41:05.865Z

Source :

mitre
AFFECTED PRODUCTS

The following products are affected by CVE-2025-50984 vulnerability.

Vendors Products
Diskover
  • Diskover
Diskoverdata
  • Diskover
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-50984.

URL Resource
https://github.com/4rdr/proofs/blob/main/info/diskover-web-v2.3.0-community-edition-sqli.md cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact