VA-25-079-01

Vulnerability from csaf_cisa - Published: 2025-03-20 00:00 - Updated: 2025-05-02 01:11
Summary
CentralSquare eTRAKiT.Net SQL injection vulnerability

Notes

Legal Notice
All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \"as is\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).
Countries and Areas Deployed
Worldwide
Critical Infrastructure Sectors
Information Technology
Risk Evaluation
eTRAKiT is a public online portal that provides the public with easily accessible information related to permits, projects, licenses, code compliance, land, and inspections. An SQL injection vulnerability in the CRM feature of eTRAKiT.net release 3.2.1.77 allows a remote, unauthenticated attacker to execute SQL queries and potentially arbitrary operating system commands as the Microsoft SQL Server account. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development (24.1.1.2 as of 2025-03-13).
Recommended Practices
eTRAKiT.net is an older version of Community Development that is no longer supported. Users are recommended to upgrade to the latest version of Community Development.
Company Headquarters Location
United States
To clipboard 

{
  "document": {
    "category": "csaf_vex",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE"
      }
    },
    "lang": "en-US",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
        "title": "Legal Notice"
      },
      {
        "category": "other",
        "text": "Worldwide",
        "title": "Countries and Areas Deployed"
      },
      {
        "category": "other",
        "text": "Information Technology",
        "title": "Critical Infrastructure Sectors"
      },
      {
        "category": "summary",
        "text": "eTRAKiT is a public online portal that provides the public with easily accessible information related to permits, projects, licenses, code compliance, land, and inspections. An SQL injection vulnerability in the CRM feature of eTRAKiT.net release 3.2.1.77 allows a remote, unauthenticated attacker to execute SQL queries and potentially arbitrary operating system commands as the Microsoft SQL Server account. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development (24.1.1.2 as of 2025-03-13).\n",
        "title": "Risk Evaluation"
      },
      {
        "category": "general",
        "text": "eTRAKiT.net is an older version of Community Development that is no longer supported. Users are recommended to upgrade to the latest version of Community Development.",
        "title": "Recommended Practices"
      },
      {
        "category": "other",
        "text": "United States",
        "title": "Company Headquarters Location"
      }
    ],
    "publisher": {
      "category": "coordinator",
      "contact_details": "https://www.cisa.gov/report",
      "issuing_authority": "CISA",
      "name": "CISA",
      "namespace": "https://www.cisa.gov/"
    },
    "references": [
      {
        "category": "self",
        "summary": "Vulnerability Advisory VA-25-079-01 CSAF",
        "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-079-01.json"
      }
    ],
    "title": "CentralSquare eTRAKiT.Net SQL injection vulnerability",
    "tracking": {
      "current_release_date": "2025-05-02T01:11:43Z",
      "generator": {
        "engine": {
          "name": "VINCE-NT",
          "version": "1.8.0"
        }
      },
      "id": "VA-25-079-01",
      "initial_release_date": "2025-03-20T00:00:00Z",
      "revision_history": [
        {
          "date": "2025-05-02T01:11:43Z",
          "number": "1.0.1",
          "summary": "Remove reference to pull request, standardize \"Initial publication\" revision message"
        },
        {
          "date": "2025-03-20T00:00:00Z",
          "number": "1.0.0",
          "summary": "Initial publication"
        }
      ],
      "status": "final",
      "version": "1.0.1"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version",
                "name": "3.2.1.77",
                "product": {
                  "name": "CentralSquare eTRAKiT.Net 3.2.1.77",
                  "product_id": "CSAFPID-0001"
                }
              }
            ],
            "category": "product_name",
            "name": "eTRAKiT.Net"
          }
        ],
        "category": "vendor",
        "name": "CentralSquare"
      }
    ]
  },
  "vulnerabilities": [
    {
      "acknowledgments": [
        {
          "names": [
            "Caleb Lenz"
          ],
          "organization": "City of Pasco, WA"
        }
      ],
      "cve": "CVE-2025-29980",
      "cwe": {
        "id": "CWE-89",
        "name": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)"
      },
      "notes": [
        {
          "category": "summary",
          "text": "A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. Due to improper input validation, a remote unauthenticated attacker can run arbitrary commands as the current MS SQL server account. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development.",
          "title": "Description"
        },
        {
          "category": "details",
          "text": "SSVCv2/E:P/A:Y/T:T/2025-03-17T19:49:56Z/",
          "title": "SSVC"
        },
        {
          "category": "description",
          "text": "A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. CentralSquare has notified all affected customers and is actively working with these customers for a solution to this issue. CentralSquare has also recommended that all affected customers upgrade to the latest version of Community Development. CentralSquare is not aware of any SQL injection issues in current versions of Community Development.",
          "title": "Vendor statement from CentralSquare"
        }
      ],
      "product_status": {
        "known_affected": [
          "CSAFPID-0001"
        ]
      },
      "references": [
        {
          "category": "external",
          "summary": "raw.githubusercontent.com",
          "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-079-01.json"
        }
      ],
      "release_date": "2025-03-20T00:00:00Z",
      "remediations": [
        {
          "category": "no_fix_planned",
          "details": "eTRAKiT.Net is no longer supported. Upgrade to the latest version of Community Development.",
          "product_ids": [
            "CSAFPID-0001"
          ]
        }
      ],
      "scores": [
        {
          "cvss_v3": {
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          },
          "products": [
            "CSAFPID-0001"
          ]
        }
      ],
      "title": "Blind SQL Injection vulnerability in eTRAKiT.Net"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.