Vulnerability Description
An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gridsquare POST parameter. This allows a remote, authenticated attacker to execute arbitrary SQL commands by injecting a malicious payload, which is then concatenated directly into a raw SQL query in the vucc_qso_details function.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Magicbug | Cloudlog | < 2.7.6 |
Related Weaknesses (CWE)
References
- https://github.com/XY20130630/Cloudlog/security/advisories/GHSA-4r9r-3r3q-jg44ExploitThird Party Advisory
- https://github.com/magicbug/Cloudlog/commit/72a8c3d705c8629f60f64da9f37968417c98Patch
- https://github.com/magicbug/Cloudlog/releases/tag/2.7.6Release Notes
FAQ
What is CVE-2025-64084?
CVE-2025-64084 is a vulnerability with a CVSS score of 5.4 (MEDIUM). An authenticated SQL injection vulnerability exists in Cloudlog 2.7.5 and earlier. The vucc_details_ajax function in application/controllers/Awards.php does not properly sanitize the user-supplied Gri...
How severe is CVE-2025-64084?
CVE-2025-64084 has been rated MEDIUM with a CVSS base score of 5.4/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-64084?
Check the references section above for vendor advisories and patch information. Affected products include: Magicbug Cloudlog.