CVE Catalog

CVE-2025-56385

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.40%

32th percentile - higher than 32% of all known CVEs

Summary

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful exploitation may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

Risk Assessment

The risk includes unauthorized system access, theft of sensitive patient data, and potential full compromise of the backend database, which could result in severe compliance violations and financial losses.

Recommendation

Immediately apply the vendor patch or implement parameterized SQL queries and input validation for the 'TXTUSERID' parameter. Restrict access to the 'xmHarmony.asp' endpoint to trusted networks only.

Original NVD description (English source)

A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS