Search criteria
4 vulnerabilities found for ajax.php plugin by Innovación y Cualificación
CVE-2025-2202 (GCVE-0-2025-2202)
Vulnerability from cvelistv5 – Published: 2025-03-17 10:14 – Updated: 2025-03-17 12:15
VLAI?
Title
Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php
Summary
Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Innovación y Cualificación | ajax.php plugin |
Affected:
all versions
|
Credits
Julen Garrido Estevez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T12:14:34.931300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T12:15:05.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ajax.php plugin",
"vendor": "Innovaci\u00f3n y Cualificaci\u00f3n",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julen Garrido Estevez"
}
],
"datePublic": "2025-03-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Broken access control vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email."
}
],
"value": "Broken access control vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T10:14:37.246Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Broken access control vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2202",
"datePublished": "2025-03-17T10:14:37.246Z",
"dateReserved": "2025-03-11T09:52:10.472Z",
"dateUpdated": "2025-03-17T12:15:05.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2199 (GCVE-0-2025-2199)
Vulnerability from cvelistv5 – Published: 2025-03-17 10:09 – Updated: 2025-03-17 12:28
VLAI?
Title
SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php
Summary
SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in ‘searchActionsToUpdate’, ‘searchSpecialitiesPending’, ‘searchSpecialitiesLinked’, ‘searchUsersToUpdateProfile’, ‘training_action_data’, ‘showContinuingTrainingCourses’ and ‘showUsersToEdit’ in /local/administration/ajax.php.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Innovación y Cualificación | ajax.php plugin |
Affected:
all versions
|
Credits
Julen Garrido Estevez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T12:23:27.862144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T12:28:01.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ajax.php plugin",
"vendor": "Innovaci\u00f3n y Cualificaci\u00f3n",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julen Garrido Estevez"
}
],
"datePublic": "2025-03-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in \u2018searchActionsToUpdate\u2019, \u2018searchSpecialitiesPending\u2019, \u2018searchSpecialitiesLinked\u2019, \u2018searchUsersToUpdateProfile\u2019, \u2018training_action_data\u2019, \u2018showContinuingTrainingCourses\u2019 and \u2018showUsersToEdit\u2019 in /local/administration/ajax.php."
}
],
"value": "SQL injection vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in \u2018searchActionsToUpdate\u2019, \u2018searchSpecialitiesPending\u2019, \u2018searchSpecialitiesLinked\u2019, \u2018searchUsersToUpdateProfile\u2019, \u2018training_action_data\u2019, \u2018showContinuingTrainingCourses\u2019 and \u2018showUsersToEdit\u2019 in /local/administration/ajax.php."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T10:10:23.991Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2199",
"datePublished": "2025-03-17T10:09:18.444Z",
"dateReserved": "2025-03-11T09:52:07.643Z",
"dateUpdated": "2025-03-17T12:28:01.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2202 (GCVE-0-2025-2202)
Vulnerability from nvd – Published: 2025-03-17 10:14 – Updated: 2025-03-17 12:15
VLAI?
Title
Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php
Summary
Broken access control vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email.
Severity ?
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Innovación y Cualificación | ajax.php plugin |
Affected:
all versions
|
Credits
Julen Garrido Estevez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2202",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T12:14:34.931300Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T12:15:05.683Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ajax.php plugin",
"vendor": "Innovaci\u00f3n y Cualificaci\u00f3n",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julen Garrido Estevez"
}
],
"datePublic": "2025-03-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Broken access control vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email."
}
],
"value": "Broken access control vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain sensitive information about other users such as id, name, login and email."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863 Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T10:14:37.246Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Broken access control vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2202",
"datePublished": "2025-03-17T10:14:37.246Z",
"dateReserved": "2025-03-11T09:52:10.472Z",
"dateUpdated": "2025-03-17T12:15:05.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-2199 (GCVE-0-2025-2199)
Vulnerability from nvd – Published: 2025-03-17 10:09 – Updated: 2025-03-17 12:28
VLAI?
Title
SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php
Summary
SQL injection vulnerability in the Innovación y Cualificación local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in ‘searchActionsToUpdate’, ‘searchSpecialitiesPending’, ‘searchSpecialitiesLinked’, ‘searchUsersToUpdateProfile’, ‘training_action_data’, ‘showContinuingTrainingCourses’ and ‘showUsersToEdit’ in /local/administration/ajax.php.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Innovación y Cualificación | ajax.php plugin |
Affected:
all versions
|
Credits
Julen Garrido Estevez
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-2199",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-03-17T12:23:27.862144Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T12:28:01.452Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "ajax.php plugin",
"vendor": "Innovaci\u00f3n y Cualificaci\u00f3n",
"versions": [
{
"status": "affected",
"version": "all versions"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Julen Garrido Estevez"
}
],
"datePublic": "2025-03-11T11:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SQL injection vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in \u2018searchActionsToUpdate\u2019, \u2018searchSpecialitiesPending\u2019, \u2018searchSpecialitiesLinked\u2019, \u2018searchUsersToUpdateProfile\u2019, \u2018training_action_data\u2019, \u2018showContinuingTrainingCourses\u2019 and \u2018showUsersToEdit\u2019 in /local/administration/ajax.php."
}
],
"value": "SQL injection vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php. This vulnerability allows an attacker to obtain, update and delete data from the database by injecting an SQL query in \u2018searchActionsToUpdate\u2019, \u2018searchSpecialitiesPending\u2019, \u2018searchSpecialitiesLinked\u2019, \u2018searchUsersToUpdateProfile\u2019, \u2018training_action_data\u2019, \u2018showContinuingTrainingCourses\u2019 and \u2018showUsersToEdit\u2019 in /local/administration/ajax.php."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-03-17T10:10:23.991Z",
"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"shortName": "INCIBE"
},
"references": [
{
"url": "https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-moodle-innovacion-y-cualificacion-plugins"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"value": "Innovaci\u00f3n y Cualificaci\u00f3n has released a new version that fixes the vulnerabilities detected in the affected plugins. It has been implemented in all installations of the affected software, and the process will be completed in December 2024."
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "SQL injection vulnerability in the Innovaci\u00f3n y Cualificaci\u00f3n local administration plugin ajax.php",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
"assignerShortName": "INCIBE",
"cveId": "CVE-2025-2199",
"datePublished": "2025-03-17T10:09:18.444Z",
"dateReserved": "2025-03-11T09:52:07.643Z",
"dateUpdated": "2025-03-17T12:28:01.452Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}