PT-2025-15292 · Unknown · Xiaozhi-Esp32-Server-Java
Exp3N5Ive
·
Published
2025-04-07
·
Updated
2025-04-07
·
CVE-2025-3382
CVSS v2.0
6.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:P |
Name of the Vulnerable Software and Affected Versions
joey-zhou xiaozhi-esp32-server-java up to a14fe8115842ee42ab5c7a51706b8a85db5200b7
Description
A critical issue has been found in the software, affecting the
update function of the "/api/user/update" API endpoint. The manipulation of the state argument leads to SQL injection. This issue can be exploited remotely.Recommendations
As a temporary workaround, consider disabling the
update function of the "/api/user/update" API endpoint until a fix is available.
Restrict access to the "/api/user/update" API endpoint to minimize the risk of exploitation.
Avoid using the state argument in the affected API endpoint until the issue is resolved.
At the moment, there is no information about a newer version that contains a fix for this vulnerability.Exploit
Special Elements Injection
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Xiaozhi-Esp32-Server-Java