CVE-2025-2353

Name of the Vulnerable Software and Affected Versions: VAM Virtual Airlines Manager versions up to 2.6.2

Description: A critical issue was found in the HTTP GET Parameter Handler of VAM Virtual Airlines Manager, affecting an unknown function of the file /vam/index.php. The manipulation of the ID, registry id, or plane icao arguments leads to SQL injection. This issue can be exploited remotely. Other parameters might also be affected.

Recommendations: For versions up to 2.6.2, consider disabling the index.php file or restricting access to it until a patch is available. As a temporary workaround, avoid using the ID, registry id, and plane icao parameters in the affected HTTP GET requests until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.