CVE ID | CVE-2025-4568 |
Publication date | 05 June 2025 |
Vendor | Trol InterMedia |
Product | 2ClickPortal |
Vulnerable versions | All before 7.14.3 |
Vulnerability type (CWE) | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) |
Report source | Report to CERT Polska |
Description
CERT Polska has received a report about vulnerability in Trol InterMedia 2ClickPortal software and participated in coordination of its disclosure.
The vulnerability CVE-2025-4568: Improper neutralization of input provided by an unauthorized user into changes__reference_id parameter in URL allows for boolean-based Blind SQL Injection attacks.
The vulnerability has been fixed in version 7.14.3 of 2ClickPortal.
Credits
We thank Kamil Szczurowski and Robert Kruczek for the responsible vulnerability report.
More about the coordinated vulnerability disclosure process at CERT Polska can be found at https://cert.pl/en/cvd/.