SQLi in Fanwei e-Cology 8.0 via getdata.jsp sql param
CVE-2025-34038 Published on June 24, 2025
Weaver E-cology SQL Injection
A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.
Weakness Type
What is a SQL Injection Vulnerability?
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
CVE-2025-34038 has been classified to as a SQL Injection vulnerability or weakness.
Products Associated with CVE-2025-34038
Want to know whenever a new CVE is published for Weiphp? stack.watch will email you.
Affected Versions
Weaver E-cology:- Before and including 8.0 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.