{
"document": {
"category": "csaf_vex",
"csaf_version": "2.0",
"lang": "en-US",
"publisher": {
"category": "coordinator",
"contact_details": "https://www.cisa.gov/report",
"issuing_authority": "CISA",
"name": "CISA",
"namespace": "https://www.cisa.gov/"
},
"title": "CentralSquare eTRAKiT.Net SQL injection vulnerability",
"tracking": {
"current_release_date": "2025-03-20T17:57:39Z",
"generator": {
"engine": {
"name": "VINCE-NT",
"version": "1.7.0"
}
},
"id": "VA-25-079-01",
"initial_release_date": "2025-03-20T17:57:39Z",
"status": "draft",
"version": "1.0.0",
"revision_history": [
{
"number": "1.0.0",
"summary": "Initial release",
"date": "2025-03-20T00:00:00Z"
}
]
},
"distribution": {
"tlp": {
"label": "WHITE"
}
},
"notes": [
{
"text": "All information products included in [https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white](https://github.com/cisagov/CSAF/tree/develop/csaf_files/IT/white) are provided \\\"as is\\\" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see [https://us-cert.cisa.gov/tlp/](https://us-cert.cisa.gov/tlp/).",
"title": "Legal Notice",
"category": "legal_disclaimer"
},
{
"text": "Worldwide",
"title": "Countries and Areas Deployed",
"category": "other"
},
{
"text": "Information Technology",
"title": "Critical Infrastructure Sectors",
"category": "other"
},
{
"text": "eTRAKiT is a public online portal that provides the public with easily accessible information related to permits, projects, licenses, code compliance, land, and inspections. An SQL injection vulnerability in the CRM feature of eTRAKiT.net release 3.2.1.77 allows a remote, unauthenticated attacker to execute SQL queries and potentially arbitrary operating system commands as the Microsoft SQL Server account. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development (24.1.1.2 as of 2025-03-13).\n",
"title": "Risk Evaluation",
"category": "summary"
},
{
"text": "eTRAKiT.net is an older version of Community Development that is no longer supported. Users are recommended to upgrade to the latest version of Community Development.",
"title": "Recommended Practices",
"category": "general"
},
{
"text": "United States",
"title": "Company Headquarters Location",
"category": "other"
}
],
"references": [
{
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/VA-25-079-01.json",
"summary": "Vulnerability Advisory VA-25-079-01 CSAF",
"category": "self"
}
]
},
"product_tree": {
"branches": [
{
"category": "vendor",
"name": "CentralSquare",
"branches": [
{
"category": "product_name",
"name": "eTRAKiT.Net",
"branches": [
{
"category": "product_version",
"name": "3.2.1.77",
"product": {
"name": "CentralSquare eTRAKiT.Net 3.2.1.77",
"product_id": "CSAFPID-0001"
}
}
]
}
]
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2025-29980",
"cwe": {
"id": "CWE-89",
"name": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"
},
"notes": [
{
"category": "summary",
"text": "A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. Due to improper input validation, a remote unauthenticated attacker can run arbitrary commands as the current MS SQL server account. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. eTRAKiT.Net is no longer supported, and users are recommended to migrate to the latest version of CentralSquare Community Development.",
"title": "Description"
},
{
"category": "details",
"title": "SSVC",
"text": "SSVCv2/E:P/A:Y/T:T/2025-03-17T19:49:56Z/"
},
{
"category": "description",
"text": "A SQL injection issue has been discovered in eTRAKiT.net release 3.2.1.77. It is recommended that the CRM feature is turned off while on eTRAKiT.net release 3.2.1.77. CentralSquare has notified all affected customers and is actively working with these customers for a solution to this issue. CentralSquare has also recommended that all affected customers upgrade to the latest version of Community Development. CentralSquare is not aware of any SQL injection issues in current versions of Community Development.",
"title": "Vendor statement from CentralSquare"
}
],
"title": "Blind SQL Injection vulnerability in eTRAKiT.Net",
"product_status": {
"known_affected": [
"CSAFPID-0001"
]
},
"references": [
{
"category": "external",
"summary": "raw.githubusercontent.com",
"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-25-079-01.json"
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"CSAFPID-0001"
]
}
],
"remediations": [
{
"category": "no_fix_planned",
"details": "eTRAKiT.Net is no longer supported. Upgrade to the latest version of Community Development.",
"product_ids": [
"CSAFPID-0001"
]
}
],
"acknowledgments": [
{
"names": [
"Caleb Lenz"
],
"organization": "City of Pasco, WA"
}
],
"release_date": "2025-03-20T00:00:00Z"
}
]
}