← Back
2026-03-26 11:39CVE-2018-25202VulnCheck
PUBLISHED5.2CWE-89

SAT CFDI 3.3 SQL Injection via signIn endpoint

SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application.

Problem type

Affected products

Wecodex

SAT CFDI

3.3 - AFFECTED

References

ExploitDB-44726

https://www.exploit-db.com/exploits/44726

exploit
Official Product Homepage

https://www.wecodex.com/item/view/verification-and-validation-system-sat-cfdi-33/8

product
VulnCheck Advisory: SAT CFDI 3.3 SQL Injection via signIn endpoint

https://www.vulncheck.com/advisories/sat-cfdi-sql-injection-via-signin-endpoint

third-party-advisory

GitHub Security Advisories

GHSA-q8vp-5rq8-4rfj

SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database...

https://github.com/advisories/GHSA-q8vp-5rq8-4rfj

SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application.

nvd.nist.gov

https://nvd.nist.gov/vuln/detail/CVE-2018-25202

exploit-db.com

https://www.exploit-db.com/exploits/44726

vulncheck.com

https://www.vulncheck.com/advisories/sat-cfdi-sql-injection-via-signin-endpoint

wecodex.com

https://www.wecodex.com/item/view/verification-and-validation-system-sat-cfdi-33/8

github.com

https://github.com/advisories/GHSA-q8vp-5rq8-4rfj

JSON source

https://cveawg.mitre.org/api/cve/CVE-2018-25202
Click to expand
{
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "cveMetadata": {
    "cveId": "CVE-2018-25202",
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "dateUpdated": "2026-03-26T18:44:03.302Z",
    "dateReserved": "2026-03-26T11:32:32.898Z",
    "datePublished": "2026-03-26T11:39:50.398Z",
    "state": "PUBLISHED"
  },
  "containers": {
    "cna": {
      "providerMetadata": {
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck",
        "dateUpdated": "2026-03-26T11:39:50.398Z"
      },
      "datePublic": "2018-05-23T00:00:00.000Z",
      "title": "SAT CFDI 3.3 SQL Injection via signIn endpoint",
      "descriptions": [
        {
          "lang": "en",
          "value": "SAT CFDI 3.3 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting SQL code through the 'id' parameter in the signIn endpoint. Attackers can submit POST requests with boolean-based blind, stacked queries, or time-based blind SQL injection payloads to extract sensitive data or compromise the application."
        }
      ],
      "affected": [
        {
          "vendor": "Wecodex",
          "product": "SAT CFDI",
          "versions": [
            {
              "version": "3.3",
              "status": "affected"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "lang": "en",
              "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')",
              "cweId": "CWE-89",
              "type": "CWE"
            }
          ]
        }
      ],
      "references": [
        {
          "url": "https://www.exploit-db.com/exploits/44726",
          "name": "ExploitDB-44726",
          "tags": [
            "exploit"
          ]
        },
        {
          "url": "https://www.wecodex.com/item/view/verification-and-validation-system-sat-cfdi-33/8",
          "name": "Official Product Homepage",
          "tags": [
            "product"
          ]
        },
        {
          "url": "https://www.vulncheck.com/advisories/sat-cfdi-sql-injection-via-signin-endpoint",
          "name": "VulnCheck Advisory: SAT CFDI 3.3 SQL Injection via signIn endpoint",
          "tags": [
            "third-party-advisory"
          ]
        }
      ],
      "metrics": [
        {
          "format": "CVSS"
        },
        {
          "format": "CVSS",
          "cvssV3_1": {
            "version": "3.1",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
            "attackVector": "NETWORK",
            "attackComplexity": "LOW",
            "privilegesRequired": "NONE",
            "userInteraction": "NONE",
            "scope": "UNCHANGED",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "LOW",
            "availabilityImpact": "NONE",
            "baseScore": 8.2,
            "baseSeverity": "HIGH"
          }
        }
      ],
      "credits": [
        {
          "lang": "en",
          "value": "Özkan Mustafa Akkuş (AkkuS)",
          "type": "finder"
        }
      ]
    },
    "adp": [
      {
        "providerMetadata": {
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP",
          "dateUpdated": "2026-03-26T18:44:03.302Z"
        },
        "title": "CISA ADP Vulnrichment",
        "metrics": [
          {}
        ]
      }
    ]
  }
}