cbcvebase.
CVE-2025-41373
published 2025-08-01

CVE-2025-41373: A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated…

PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
1.00%
58.4th percentile
A SQL injection vulnerability has been found in Gandia Integra Total of TESI from version 2.1.2217.3 to v4.4.2236.1. The vulnerability allows an authenticated attacker to retrieve, create, update and delete databases through the 'idestudio' parameter in /encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
tesigandia_integra_total>= 2.1.2217.3 < 4.4.2236.14.4.2236.1
tesigandiagandia_integra_total2.1.2217.3 – 4.4.2236.1

Detection & IOCsextracted from sources · hover to see the quote

path/encuestas/integraweb_v4/integra/html/view/hislistadoacciones.php
path/encuestas/integraweb[_v4]/integra/html/view/hislistadoacciones.php
  • Alert on SQL error strings in HTTP responses from the application, including: 'You have an error in your SQL syntax', 'Warning: mysql', 'PDOException', 'Incorrect syntax near', 'SQLSTATE', 'ORA-01756', 'ORA-00933' — these indicate successful injection triggering a database error.
  • Detect time-based blind SQLi attempts by monitoring for anomalously delayed responses (>=3-4 seconds) on the vulnerable endpoint, consistent with SLEEP(4) or WAITFOR DELAY payloads.
  • The exploit sends requests with User-Agent 'sqlmap'; correlate this UA with requests to the vulnerable path as a high-confidence indicator of automated exploitation.
  • The vulnerability is exploitable by authenticated users only; correlate SQLi attempts on this path with valid session cookies to identify compromised or malicious authenticated accounts.
  • ·Affected versions span 2.1.2217.3 through 4.4.2236.1; the exploit PoC targets the integraweb_v4 path variant, but the NVD advisory also references the non-v4 path (/encuestas/integraweb/...), so detection rules should cover both path variants.
  • ·The exploit PoC uses URL-encoded payloads via curl_easy_escape; detection signatures must decode URL encoding before matching SQL injection patterns in the idestudio parameter.
  • ·Affected versions range from 2.1.2217.3 to v4.4.2236.1; ensure version-based detection or patching targets this full range.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.7HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.