CVE-2025-66260

Name of the Vulnerable Software and Affected Versions DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000

Description The software is susceptible to a SQL injection issue through the status sql.php endpoint. The endpoint builds SQL UPDATE queries by directly combining user-supplied sw1 and sw2 parameters without proper sanitization or the use of parameterized queries. While PostgreSQL's pg exec function limits stacked queries, attackers can still inject subqueries to extract data and utilize detailed error messages for system information gathering.

Recommendations Versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, and 7000 should be updated to a version that properly sanitizes user input or utilizes parameterized queries when interacting with the database. As a temporary workaround, consider restricting access to the status sql.php endpoint until a patch is available.