PT-2025-42887 · Unknown · Simple.Erp
Kamil Dąbkowski
·
Published
2025-10-21
·
Updated
2025-10-21
·
CVE-2025-9339
CVSS v4.0
7.1
High
| Vector | AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
SIMPLE.ERP versions prior to 6.30@a04.3
Description
A SQL injection issue exists in the warehouse document filtering form of SIMPLE.ERP software. A logged-in user can submit a payload of up to 20 characters. A confirmed use case allows for the deletion of tables with names up to 6 characters in length. Data exfiltration within the query character limit was not possible.
Recommendations
Update SIMPLE.ERP to version 6.30@a04.3 or later.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Simple.Erp