CVE-2025-41348

Name of the Vulnerable Software and Affected Versions WinPlus version 24.11.27

Description A SQL injection issue exists in WinPlus version 24.11.27. This allows an attacker to recover, create, update, and delete databases. The issue is triggered by sending a POST request to the ''/WinplusPortal/ws/sWinplus.svc/json/getacumper post'' endpoint, utilizing the val1 and cont parameters.

Recommendations Apply a fix for WinPlus version 24.11.27 to address the SQL injection issue. As a temporary workaround, restrict access to the ''/WinplusPortal/ws/sWinplus.svc/json/getacumper post'' endpoint. Sanitize the val1 and cont parameters before processing them in the getacumper post function.