CVE-2025-34038

Name of the Vulnerable Software and Affected Versions: Fanwei e-cology versions 8.0 and prior

Description: A SQL injection issue exists, allowing unauthenticated attackers to execute arbitrary SQL queries via the "getdata.jsp" endpoint. The application passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, which is reachable through the cmd=getSelectAllId workflow in the AjaxManager. This could potentially expose sensitive data, such as administrator password hashes.

Recommendations: For Fanwei e-cology versions 8.0 and prior, consider disabling the getSelectAllIds(sql, type) method or restricting access to the "getdata.jsp" endpoint until a patch is available. Additionally, avoid using the sql parameter in the affected endpoint to minimize the risk of exploitation.