CVE-2025-26086

An unauthenticated blind SQL injection vulnerability exists in RSI Queue Management System v3.0 within the TaskID parameter of the get request handler. Attackers can remotely inject time-delayed SQL payloads to induce server response delays, enabling time-based inference and iterative extraction of sensitive database contents without authentication.
Configurations

Configuration 1 (hide)

cpe:2.3:a:rsiqueue:management_system:3.0:*:*:*:*:*:*:*

History

12 Jun 2025, 16:20

Type Values Removed Values Added
First Time Rsiqueue management System
Rsiqueue
References () https://seclists.org/fulldisclosure/2025/May/21 - () https://seclists.org/fulldisclosure/2025/May/21 - Mailing List
References () http://seclists.org/fulldisclosure/2025/May/21 - () http://seclists.org/fulldisclosure/2025/May/21 - Mailing List
CPE cpe:2.3:a:rsiqueue:management_system:3.0:*:*:*:*:*:*:*
Summary
  • (es) Existe una vulnerabilidad de inyección SQL ciega no autenticada en RSI Queue Management System v3.0 dentro del parámetro TaskID del controlador de solicitudes GET. Los atacantes pueden inyectar remotamente payloads SQL con retardo temporal para inducir retrasos en la respuesta del servidor, lo que permite la inferencia basada en el tiempo y la extracción iterativa de contenido confidencial de la base de datos sin autenticación.

20 May 2025, 16:15

Type Values Removed Values Added
CWE CWE-89
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 7.5

20 May 2025, 15:16

Type Values Removed Values Added
New CVE

Information

Published : 2025-05-20 15:16

Updated : 2025-06-12 16:20


NVD link : CVE-2025-26086

Mitre link : CVE-2025-26086

CVE.ORG link : CVE-2025-26086


JSON object : View

Products Affected

rsiqueue

  • management_system
CWE
CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')