{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2025-27378","assignerOrgId":"4760f414-e1ae-4ff1-bdad-c7a9c3538b79","state":"PUBLISHED","assignerShortName":"Altium","dateReserved":"2025-02-23T21:02:12.105Z","datePublished":"2026-01-22T01:06:19.022Z","dateUpdated":"2026-01-22T19:20:07.317Z"},"containers":{"cna":{"affected":[{"defaultStatus":"unaffected","modules":["SQL parsing logic","Database query handling"],"platforms":["Web"],"product":"AES","vendor":"Altium","versions":[{"changes":[{"at":"7.0.6","status":"unaffected"}],"lessThanOrEqual":"7.0.5","status":"affected","version":"7.0.3","versionType":"semver"}]}],"datePublic":"2025-04-05T00:18:00.000Z","descriptions":[{"lang":"en","supportingMedia":[{"base64":false,"type":"text/html","value":"AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.<br>"}],"value":"AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries."}],"impacts":[{"capecId":"CAPEC-66","descriptions":[{"lang":"en","value":"CAPEC-66 SQL Injection"}]},{"capecId":"CAPEC-108","descriptions":[{"lang":"en","value":"CAPEC-108 Command Injection"}]},{"capecId":"CAPEC-7","descriptions":[{"lang":"en","value":"CAPEC-7 Blind SQL Injection"}]}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"NETWORK","availabilityImpact":"LOW","baseScore":8.6,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"LOW","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L","version":"3.1"},"format":"CVSS","scenarios":[{"lang":"en","value":"GENERAL"}]}],"problemTypes":[{"descriptions":[{"cweId":"CWE-89","description":"CWE-89 SQL Injection","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-20","description":"CWE-20 Improper Input Validation","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"4760f414-e1ae-4ff1-bdad-c7a9c3538b79","shortName":"Altium","dateUpdated":"2026-01-22T01:18:38.259Z"},"references":[{"url":"https://www.altium.com/platform/security-compliance/security-advisories"}],"source":{"discovery":"UNKNOWN"},"title":"SQL Injection in AES Due to Inactive SQL Parsing Configuration","x_generator":{"engine":"Vulnogram 0.5.0"}},"adp":[{"metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-01-22T19:19:50.310716Z","id":"CVE-2025-27378","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-01-22T19:20:07.317Z"}}]}}