High severity7.5NVD Advisory· Published Jun 24, 2025· Updated Jun 17, 2026
CVE-2025-34038
CVE-2025-34038
Description
A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: 8.0
Patches
Vulnerability mechanics
References
4- vulncheck.com/advisories/fanwei-ecology-sql-injectionnvdExploitThird Party Advisory
- www.cnblogs.com/0day-li/p/14637680.htmlnvdExploit
- www.cnvd.org.cn/flaw/show/CNVD-2021-33202nvdThird Party Advisory
- weaver.com.co/products/ecology/nvd
News mentions
0No linked articles in our index yet.