CVE 9.4 CRITICAL

Unsanitized parameter input leading to SQL Injection vulnerability_CVE-2025-10460

November 17, 2025 invoker category_cve
9.4 / 10
CRITICAL
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:L/SC:H/SI:L/SA:N

Description

A SQL Injection vulnerability on an endpoint in BEIMS Contractor Web, a legacy product that is no longer maintained or patched by the vendor, allows an unauthorised user to retrieve sensitive database contents via unsanitized parameter input. This vulnerability occurs due to improper input validation on /BEIMSWeb/contractor.asp endpoint and successful exploitation requires a contractor.asp endpoint open to the internet. This vulnerability allows attackers to execute arbitrary SQL commands, compromising the confidentiality, integrity and potentially the availability of the database. 





Version 5.7.139

 has been confirmed as vulnerable. Other versions have not been confirmed by the vendor and users should assume that all versions of BEIMS Contractor Web may be impacted until further guidance is provided by the vendor.

AI Analysis

SQL Injection vulnerability due to unsanitized parameter input, allowing unauthorized users to execute arbitrary SQL commands

Basic Information

ID CVE-2025-10460
Source MON-CSIRT
Published Nov 17, 2025 at 02:48

Affected Product

Vendor BEIMS
Product Contractor Web
Version 5.7
Affected Versions BEIMS Contractor Web 5.7

CWE Classification

CWE-20

AI Assessment

AI Score 9.4 / 10
AI Severity Critical
Vendor BEIMS
Product Contractor Web
Version 5.7.139

References

💭 Join the Security Discussion

🔒 Your email address will not be published. Required fields are marked *

⚠️ Please be respectful and constructive in your comments. Security discussions should remain professional.