CVE-2025-46053

Name of the Vulnerable Software and Affected Versions WebERP version 4.15.2

Description A SQL Injection issue allows attackers to execute arbitrary SQL commands and extract sensitive data by injecting a crafted payload into the ReportID and ReplaceReportID parameters within a POST request to "/reportwriter/admin/ReportCreator.php".

Recommendations For WebERP version 4.15.2, as a temporary workaround, consider disabling the "/reportwriter/admin/ReportCreator.php" endpoint until a patch is available. Restrict access to the ReportID and ReplaceReportID parameters to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this issue.