Search criteria
2 vulnerabilities
CVE-2025-13596 (GCVE-0-2025-13596)
Vulnerability from cvelistv5 – Published: 2025-11-24 07:30 – Updated: 2025-11-24 13:47
VLAI?
Summary
A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.
Severity ?
CWE
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ATISoluciones | CIGES |
Affected:
2.15.0 , < 2.15.6
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-13596",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-24T13:47:37.611508Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T13:47:44.911Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"error-handling"
],
"platforms": [
"Linux",
"Windows"
],
"product": "CIGES",
"vendor": "ATISoluciones",
"versions": [
{
"lessThan": "2.15.6",
"status": "affected",
"version": "2.15.0",
"versionType": "semver"
}
]
}
],
"datePublic": "2025-11-24T07:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise.\u003cbr\u003e\u003cbr\u003e"
}
],
"value": "A sensitive information disclosure vulnerability exists in the error handling component of ATISoluciones CIGES Application version 2.15.6 and earlier. When certain unexpected conditions trigger unhandled exceptions, the application returns detailed error messages and stack traces to the client. This may expose internal filesystem paths, SQL queries, database connection details, or environment configuration data to remote unauthenticated attackers. This issue allows information gathering and reconnaissance but does not enable direct system compromise."
}
],
"impacts": [
{
"capecId": "CAPEC-54",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-54 Query System for Information"
}
]
},
{
"capecId": "CAPEC-169",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-169 Footprinting"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NO",
"Recovery": "USER",
"Safety": "NEGLIGIBLE",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 2.7,
"baseSeverity": "LOW",
"exploitMaturity": "UNREPORTED",
"privilegesRequired": "NONE",
"providerUrgency": "CLEAR",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "DIFFUSE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/S:N/AU:N/R:U/V:D/U:Clear",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-209",
"description": "CWE-209 Generation of Error Message Containing Sensitive Information",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-200",
"description": "CWE-200 Exposure of Sensitive Information to an Unauthorized Actor",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-24T07:30:49.545Z",
"orgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"shortName": "ATIS"
},
"references": [
{
"url": "https://www.atisoluciones.com/incidentes-cve"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Improper Error Handling Leading to Sensitive Information Disclosure in CIGES \u2264 2.15.6",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"assignerShortName": "ATIS",
"cveId": "CVE-2025-13596",
"datePublished": "2025-11-24T07:30:49.545Z",
"dateReserved": "2025-11-24T07:29:40.249Z",
"dateUpdated": "2025-11-24T13:47:44.911Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-1751 (GCVE-0-2025-1751)
Vulnerability from cvelistv5 – Published: 2025-02-27 12:03 – Updated: 2025-02-27 14:42
VLAI?
Summary
A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.
Severity ?
9.8 (Critical)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ATISoluciones | CIGES |
Affected:
2.15.5
|
Credits
Gonzalo Aguilar Garcia (6h4ack)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-1751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-27T14:42:22.003408Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T14:42:34.087Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "CIGES",
"vendor": "ATISoluciones",
"versions": [
{
"status": "affected",
"version": "2.15.5"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Gonzalo Aguilar Garcia (6h4ack)"
}
],
"datePublic": "2025-02-27T11:40:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cdiv\u003e\u003cdiv\u003eA SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint.\u003c/div\u003e\u003c/div\u003e"
}
],
"value": "A SQL Injection vulnerability has been found in Ciges 2.15.5 from ATISoluciones. This vulnerability allows an attacker to retrieve, create, update and delete database via $idServicio parameter in /modules/ajaxBloqueaCita.php endpoint."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-02-27T12:03:10.610Z",
"orgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"shortName": "ATIS"
},
"references": [
{
"url": "https://www.atisoluciones.com/incidentes-cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "All functions involved in \u003ccode\u003eajaxBloqueoCita.php\u003c/code\u003e are reviewed, and some queries that cause this vulnerability are found. Prepared statements are then implemented in all of them.\n\nA new version of the software, v2.15.6, has been released to address the detected vulnerabilities.\n\n\u003cbr\u003e"
}
],
"value": "All functions involved in ajaxBloqueoCita.php are reviewed, and some queries that cause this vulnerability are found. Prepared statements are then implemented in all of them.\n\nA new version of the software, v2.15.6, has been released to address the detected vulnerabilities."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SQL Injection CIGES",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "68e1e1d3-5247-4d65-9f39-ef1a02cf571e",
"assignerShortName": "ATIS",
"cveId": "CVE-2025-1751",
"datePublished": "2025-02-27T12:03:10.610Z",
"dateReserved": "2025-02-27T11:17:37.585Z",
"dateUpdated": "2025-02-27T14:42:34.087Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}