CVE-2025-56385
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk32th percentile - higher than 32% of all known CVEs
Summary
A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful exploitation may lead to authentication bypass, data leakage, or full system compromise of backend database contents.
Risk Assessment
The risk includes unauthorized system access, theft of sensitive patient data, and potential full compromise of the backend database, which could result in severe compliance violations and financial losses.
Recommendation
Immediately apply the vendor patch or implement parameterized SQL queries and input validation for the 'TXTUSERID' parameter. Restrict access to the 'xmHarmony.asp' endpoint to trusted networks only.
Original NVD description (English source)
A SQL injection vulnerability exists in the login functionality of WellSky Harmony version 4.1.0.2.83 within the 'xmHarmony.asp' endpoint. User-supplied input to the 'TXTUSERID' parameter is not properly sanitized before being incorporated into a SQL query. Successful authentication may lead to authentication bypass, data leakage, or full system compromise of backend database contents.

