CVE-2025-8219

MEDIUM

Lingdang CRM < 8.6.5.2 - SQL Injection via getvaluestring Parameter

Title source: llm

Description

A vulnerability was found in Shanghai Lingdang Information Technology Lingdang CRM up to 8.6.4.7. It has been rated as critical. This issue affects some unknown processing of the file /crm/crmapi/erp/tabdetail_moduleSave_dxkp.php of the component HTTP POST Request Handler. The manipulation of the argument getvaluestring leads to sql injection. The attack may be initiated remotely. Upgrading to version 8.6.5.2 is able to address this issue. It is recommended to upgrade the affected component. The vendor explains: "All SQL injection vectors were patched via parameterized queries and input sanitization in v8.6.5+. We strongly advise all customers to upgrade to the current version (v8.6.5.2), which includes this fix and additional security enhancements."

References (4)

Core 4

Core References

Third Party Advisory, VDB Entry vdb-entry technical-description

https://vuldb.com/?id.317807

Permissions Required, VDB Entry signature permissions-required

https://vuldb.com/?ctiid.317807

Broken Link related

https://www.notion.so/SQL-Injection-Vulnerability-in-Lingdang-CRM-231ac9e8711e8017ab4ee3bb5f4aab0b?source=copy_link

Third Party Advisory, VDB Entry third-party-advisory

https://vuldb.com/?submit.616140

Scores

CVSS v3 6.3

EPSS 0.0036

EPSS Percentile 27.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-74 CWE-89

Status published

Products (1)

51mis/lingdang_crm < 8.6.5.2

Published Jul 27, 2025

Tracked Since Feb 18, 2026