3 matches found
CVE-2025-41018
The CVE-2025-41018 entry details a SQL injection in Sergestec’s Exito v8.0. The vulnerability is reachable via the cat parameter in /public.php, allowing an attacker to retrieve, create, update, and delete databases. Connected sources (Red Hat, NVD, CVE lists, ENISA/EUVD) corroborate the same des...
CVE-2025-41020
CVE-2025-41020 affects Sergestec Exito v8.0. An IDOR in /admin/ticket_a4.php (id parameter) allows access to other customers’ data. Root cause: insecure direct object reference. Impact per sources includes HIGH confidentiality impact (CVE metrics: CVSS v3.1 base 7.5, AV:N/AC:L/PR:N/UI:N/S:U/C:H/I...
CVE-2025-41021
The CVE-2025-41021 entry describes a Stored Cross-Site Scripting (XSS) in Sergestec’s Exito v8.0. The root cause is lack of proper validation of user input in a POST to /admin/index.php?action=product_update via the obs parameter, enabling a stored XSS payload. Impact stated includes the possibil...