This vulnerability is an SQL injection (CWE-89) in MegaCMS v12.0.0, specifically in the handling of the “id_territorio” parameter in the “/web_comunications/cms/get_provincias” endpoint. The issue arises from inadequate validation and sanitization of this parameter, allowing unauthenticated attackers to craft malicious POST requests that execute arbitrary SQL queries against the backend database. This can lead to full compromise of the database confidentiality, integrity, and availability. The CVSS 4.0 vector indicates the attack is network-based, requires no privileges or user interaction, and has high impact on confidentiality, integrity, and availability. No patch or official fix has been published yet.

Successful exploitation allows unauthenticated attackers to execute arbitrary SQL commands on the MegaCMS backend database, potentially leading to data disclosure, data modification, or denial of service. Given the critical CVSS score of 10, the impact is severe, affecting confidentiality, integrity, and availability of the system. There are no known exploits in the wild currently, but the vulnerability is publicly disclosed.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, it is recommended to implement input validation and sanitization controls on the “id_territorio” parameter, restrict access to the vulnerable endpoint if possible, and monitor for suspicious activity targeting this endpoint. Avoid exposing the vulnerable version in production environments.