Critical SQL Injection and XSS flaws reported in Imaster business software
Take action: If you are using Imaster MEMS Events CRM and the Patient Records Management System, make sure they are isolated from the internet and accessible from trusted networks only. Reach out to the vendor for patches, and in the meantime use a Web Application Firewall to filter malicious SQL and XSS traffic.
Learn More
INCIBE-CERT is reporting multiple flws in Imaster MEMS Events CRM and the Patient Records Management System.
Vulnerabilities summary:
- CVE-2025-41006 (CVSS score 9.3) - SQL injection in the
'phone'parameter at/memsdemo/login.php. Attackers do not need a username or password to use this exploit. By sending a malicious request to the login portal, they can read or change the entire database. - CVE-2025-41004 (CVSS score 8.7) - SQL injection in the
'id'parameter at/projects/hospital/admin/complaints.php. An authenticated user can pull sensitive data they are not authorized to access. - CVE-2025-41005 (CVSS score 8.7) - SQL injection in the
'keyword'parameter at/memsdemo/exchange_offers.php. An authenticated user can pull sensitive data they are not authorized to access. - CVE-2025-41003 (CVSS score 5.1) - Stored XSS in the 'firstname' parameter at /projects/hospital/admin/edit_patient.php. of the Patient Records Management System. An attacker can hide malicious code in a patient's first name field. When an administrator views the patient list, the code runs in their browser.
Imaster has not released any patches for these vulnerabilities yet. Organizations using these platforms should isolate the programs from the internet, use a web application firewall to block SQL injection and XSS inputs and limit access to it only to trusted zones and users. Organizations should also monitor the database logs for unusual activity.
