CVE-2025-40617: SQL injection vulnerability in Bookgy
First published: Tue Apr 29 2025(Updated: )
SQL injection vulnerability in Bookgy. This vulnerability could allow an attacker to retrieve, create, update and delete databases by sending an HTTP request through the "IDTIPO", "IDPISTA" and "IDSOCIO" parameters in /bkg_seleccionar_hora_ajax.php.
Credit: cve-coordination@incibe.es
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bookgy |
Remedy
The vulnerability has been fixed by the Bookgy team in October 2024 and are no longer exploitable today.
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Frequently Asked Questions
What is the severity of CVE-2025-40617?
CVE-2025-40617 is classified as a critical SQL injection vulnerability.
How do I fix CVE-2025-40617?
To fix CVE-2025-40617, you should validate and sanitize input parameters "IDTIPO", "IDPISTA", and "IDSOCIO" to prevent malicious SQL queries.
What software is affected by CVE-2025-40617?
CVE-2025-40617 affects the Bookgy application.
What impact does CVE-2025-40617 have on security?
CVE-2025-40617 can allow attackers to manipulate the database, leading to data theft or corruption.
Is there a workaround for CVE-2025-40617?
A temporary workaround for CVE-2025-40617 is to disable the affected PHP script until a patch is applied.
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/title
- agent/references
- agent/remedy
- agent/type
- agent/description
- agent/first-publish-date
- agent/guess-ai
- agent/software-canonical-lookup
- agent/software-canonical-lookup-request
- agent/softwarecombine
- collector/nvd-api
- source/NVD
- agent/last-modified-date
- agent/author
- agent/severity
- agent/event
- collector/epss-latest
- source/FIRST
- agent/source
- agent/tags
- agent/epss
- vendor/bookgy
- canonical/bookgy