CVE-2025-61548
edu Business Solutions · Print Shop Pro WebDesk
Print Shop Pro WebDesk version 18.34 contains a SQL injection vulnerability in the hfInventoryDistFormID parameter, allowing remote code execution.
Executive summary
A critical SQL injection vulnerability in Print Shop Pro WebDesk allows unauthenticated remote attackers to execute arbitrary database commands and potentially compromise sensitive application data.
Vulnerability
The application fails to sanitize input in the hfInventoryDistFormID parameter within the /PSP/appNET/Store/CartV12.aspx/GetUnitPrice endpoint. This allows remote, unauthenticated attackers to inject malicious SQL queries into the backend database.
Business impact
With a CVSS score of 9.8, this vulnerability poses a severe risk to data confidentiality and integrity. Successful exploitation could allow attackers to extract sensitive customer information, modify inventory data, or gain administrative access to the underlying database, leading to significant reputational and operational damage.
Remediation
Immediate Action: Apply the vendor-provided patch or upgrade to the version of Print Shop Pro WebDesk that remediates this SQL injection flaw.
Proactive Monitoring: Monitor web application logs for suspicious character strings (e.g., ', --, UNION SELECT) within URI requests directed at the CartV12.aspx endpoint.
Compensating Controls: Deploy a Web Application Firewall (WAF) with strict SQL injection protection rules to block malicious payloads targeting the vulnerable parameter.
Exploitation status
Public Exploit Available: No
Analyst recommendation
This vulnerability is highly critical due to the potential for unauthenticated database manipulation. Administrators must prioritize the application of the vendor's security patch to neutralize the risk of unauthorized data access.