Search criteria
3 vulnerabilities by SicommNet
CVE-2025-22373 (GCVE-0-2025-22373)
Vulnerability from cvelistv5 – Published: 2025-04-14 15:32 – Updated: 2025-04-15 10:38
VLAI?
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles
This issue affects BASEC: from 14 Dec 2021.
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Jesse Meijer (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22373",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:06:57.312422Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T16:07:41.629Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"SaaS"
],
"product": "BASEC",
"vendor": "SicommNet",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "14 Dec 2021",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesse Meijer (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2025-04-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles\u003cp\u003eThis issue affects BASEC: from 14 Dec 2021.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in SicommNet BASEC on SaaS allows Reflected XSS, XSS Through HTTP Query Strings, Rendering of Arbitrary HTML and alternation of CSS Styles\nThis issue affects BASEC: from 14 Dec 2021."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised."
}
],
"value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised."
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
},
{
"capecId": "CAPEC-32",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-32 XSS Through HTTP Query Strings"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/V:C",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T10:38:54.463Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"product"
],
"url": "https://basec.sicomm.net/login/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2025-00001"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2025-22373"
}
],
"source": {
"advisory": "DIVD-2025-00001",
"discovery": "INTERNAL"
},
"title": "XSS, HTML and Style injection on login page",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2025-22373",
"datePublished": "2025-04-14T15:32:49.533Z",
"dateReserved": "2025-01-03T14:56:05.686Z",
"dateUpdated": "2025-04-15T10:38:54.463Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22371 (GCVE-0-2025-22371)
Vulnerability from cvelistv5 – Published: 2025-04-14 15:32 – Updated: 2025-04-21 11:43
VLAI?
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SicommNet BASEC (SaaS Service) login page allows an unauthenticated remote attacker to Bypass Authentication and execute arbitrary SQL commands.This issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that.
The issue was fixed by SicommNet around 11pm on 16 april 2025 (Eastern Time)
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Jesse Meijer (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22371",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T15:55:21.888862Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T15:56:47.185Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"SaaS"
],
"product": "BASEC",
"vendor": "SicommNet",
"versions": [
{
"lessThanOrEqual": "16 April 2025 23:00 EST",
"status": "affected",
"version": "14 Dec 2021",
"versionType": "custom"
},
{
"lessThanOrEqual": "*",
"status": "unaffected",
"version": "16 April 2025 23:00 EST",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesse Meijer (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2025-04-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in SicommNet BASEC (SaaS Service) login page allows an unauthenticated remote attacker to Bypass \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eAuthentication and execute arbitrary SQL commands.\u003c/span\u003e\u003cp\u003eThis issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that.\u003c/p\u003e\u003cp\u003eThe issue was fixed by SicommNet around 11pm on 16 april 2025 (Eastern Time)\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in SicommNet BASEC (SaaS Service) login page allows an unauthenticated remote attacker to Bypass Authentication and execute arbitrary SQL commands.This issue at least affects BASEC for the date of 14 Dec 2021 onwards. It is very likely that this vulnerability has been present in the solution before that.\n\nThe issue was fixed by SicommNet around 11pm on 16 april 2025 (Eastern Time)"
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised."
}
],
"value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised."
}
],
"impacts": [
{
"capecId": "CAPEC-115",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-115 Authentication Bypass"
}
]
},
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/AU:Y/V:C",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-21T11:43:09.671Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"product"
],
"url": "https://basec.sicomm.net/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2025-00001"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2025-22371"
}
],
"source": {
"advisory": "DIVD-2025-00001",
"discovery": "INTERNAL"
},
"title": "SQL-injection in admin_login_handler allows unauthenticated user to log in as an administrator in SicommNet BASEC",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2025-22371",
"datePublished": "2025-04-14T15:32:49.665Z",
"dateReserved": "2025-01-03T14:56:05.686Z",
"dateUpdated": "2025-04-21T11:43:09.671Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-22372 (GCVE-0-2025-22372)
Vulnerability from cvelistv5 – Published: 2025-04-14 15:32 – Updated: 2025-04-15 10:38
VLAI?
Summary
Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery.
Passwords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.
This issue affects BASEC: from 14 Dec 2021.
Severity ?
CWE
- CWE-522 - Insufficiently Protected Credentials
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Credits
Jesse Meijer (DIVD)
Frank Breedijk (DIVD)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-22372",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T16:13:35.134489Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T16:16:42.317Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"platforms": [
"SaaS"
],
"product": "BASEC",
"vendor": "SicommNet",
"versions": [
{
"lessThanOrEqual": "*",
"status": "affected",
"version": "14 Dec 2021",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jesse Meijer (DIVD)"
},
{
"lang": "en",
"type": "analyst",
"value": "Frank Breedijk (DIVD)"
}
],
"datePublic": "2025-04-12T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery.\u003cbr\u003e\u003cp\u003ePasswords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.\u003cbr\u003e\u003cbr\u003eThis issue affects BASEC: from 14 Dec 2021.\u003c/p\u003e"
}
],
"value": "Insufficiently Protected Credentials vulnerability in SicommNet BASEC on SaaS allows Password Recovery.\nPasswords are either stored in plain text using reversible encryption, allowing an attacker with sufficient privileges to extract plain text passwords easily.\n\nThis issue affects BASEC: from 14 Dec 2021."
}
],
"exploits": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised."
}
],
"value": "Given that vulnerability has been exposed for over 3 years, users should consider the service and all the data in it as compromised."
}
],
"impacts": [
{
"capecId": "CAPEC-50",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-50 Password Recovery Exploitation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "LOCAL",
"baseScore": 8.4,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/AU:Y/V:C",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV4_0": {
"Automatable": "YES",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "LOW",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "CONCENTRATED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/AU:Y/V:C",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "When combined with CVE-2025-22371"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-522",
"description": "CWE-522 Insufficiently Protected Credentials",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-15T10:38:53.145Z",
"orgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"shortName": "DIVD"
},
"references": [
{
"tags": [
"product"
],
"url": "https://basec.sicomm.net/login/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/DIVD-2025-00001"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://csirt.divd.nl/CVE-2025-22372"
}
],
"source": {
"advisory": "DIVD-2025-00001",
"discovery": "INTERNAL"
},
"title": "Insecure password storage in SicommNet BASEC",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "b87402ff-ae37-4194-9dae-31abdbd6f217",
"assignerShortName": "DIVD",
"cveId": "CVE-2025-22372",
"datePublished": "2025-04-14T15:32:49.367Z",
"dateReserved": "2025-01-03T14:56:05.686Z",
"dateUpdated": "2025-04-15T10:38:53.145Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}