CVE-2025-41008

A critical SQL injection vulnerability has been identified in Sinturno, an online appointment management system. The flaw resides in the /adm/scripts/modalReport_data.php endpoint, specifically within the client parameter. An attacker can inject arbitrary SQL commands into this parameter without any authentication, as the application fails to properly sanitize user input before constructing database queries [1].

Exploitation

The vulnerability is remotely exploitable over the network (CVSS v4.0 vector AV:N/AC:L/AT:N/PR:N/UI:N) and requires no user interaction or elevated privileges. By crafting malicious SQL statements in the client parameter, an attacker can execute arbitrary queries against the underlying database. The lack of authentication and the straightforward attack vector make this vulnerability particularly accessible to malicious actors [1].

Impact

Successful exploitation grants the attacker the ability to retrieve, create, update, and delete database records. This level of database manipulation could lead to unauthorized access to sensitive appointment data, complete data loss, or service disruption. The CVSS v4.0 base score of 9.3 (Critical) reflects the high impact on confidentiality, integrity, and availability of the affected system [1].

Mitigation

As of the publication date, no official patch or workaround has been released by the vendor. The advisory from INCIBE confirms that there is currently no solution available [1]. Administrators are advised to monitor vendor communications for updates and consider implementing a web application firewall (WAF) or input validation rules as temporary mitigations until a fix is provided.