CVE-2025-7886 Information

Jul 21, 2025 cve

Description

A vulnerability which was classified as critical was found in pmTicket Project-Management-Software up to 2ef379da2075f4761a2c9029cf91d073474e7486. This affects the function getUserLanguage of the file classes/class.database.php. The manipulation of the argument user_id leads to sql injection. It is possible to initiate the attack remotely. This product takes the approach of rolling releases to provide continious delivery. Therefore version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Reference

https://asciinema.org/a/3wu3WGpnrnMc2GDvSyLUqqHUF https://vuldb.com/?ctiid.317001 https://vuldb.com/?id.317001 https://vuldb.com/?submit.614534

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

LOW

Availability Impact

LOW

Base Score

LOW

Base Severity

7.3

CNNVD-202507-2558 (Published: 2025-07-20)

Share on: