In Sherpa Orchestrator 141851, multiple time-based blind SQL injections can be performed by an authenticated user. This affects api/gui/asset/list, /api/gui/files/export/csv/, /api/gui/files/list, /api/gui/process/export/csv, /api/gui/process/export/xlsx, /api/gui/process/listAll, /api/gui/processVersion/export/csv/, /api/gui/processVersion/export/xlsx/, /api/gui/processVersion/list/, /api/gui/robot/list/, /api/gui/task/export/csv/, /api/gui/task/export/xlsx/, and /api/gui/task/list/.
References
| Link | Resource |
|---|---|
| https://deiteriy.com | Not Applicable |
| https://gist.github.com/ArtemBrylev/59b4c0825a988f39a58b79e4e8d2f378 | Third Party Advisory |
| https://sherparpa.com | Product |
| https://twitter.com/ArtyomBrylev | Not Applicable |
Configurations
History
16 Oct 2025, 20:42
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Sherparpa sherpa Orchestrator
Sherparpa |
|
| CPE | cpe:2.3:a:sherparpa:sherpa_orchestrator:141851:*:*:*:*:*:*:* | |
| References | () https://deiteriy.com - Not Applicable | |
| References | () https://gist.github.com/ArtemBrylev/59b4c0825a988f39a58b79e4e8d2f378 - Third Party Advisory | |
| References | () https://sherparpa.com - Product | |
| References | () https://twitter.com/ArtyomBrylev - Not Applicable |
29 Apr 2025, 13:52
| Type | Values Removed | Values Added |
|---|---|---|
| Summary |
|
25 Apr 2025, 03:15
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-04-25 03:15
Updated : 2025-10-16 20:42
NVD link : CVE-2025-46546
Mitre link : CVE-2025-46546
CVE.ORG link : CVE-2025-46546
JSON object : View
Products Affected
sherparpa
- sherpa_orchestrator
CWE
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')