Login Sign Up

CVE-2019-19245

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

CVE-2019-19245 is a pre-authentication SQL injection vulnerability in NAPC Xinet Elegant 6 Asset Library web interface. Attackers can inject malicious SQL queries via the login form username field when using double quotes, potentially compromising the database. Organizations using the vulnerable version of this asset management software are affected.

💻 Affected Systems

Products:
  • NAPC Xinet Elegant 6 Asset Library
Versions: 6.1.655
Operating Systems: Not specified, likely cross-platform
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the web interface login form specifically when double quotes are used in the username field.

📦 What is this software?

Xinet Elegant 6 Asset Library by Napc

View all CVEs affecting Xinet Elegant 6 Asset Library →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, authentication bypass, privilege escalation, and potential remote code execution on the underlying server.

🟠

Likely Case

Database information disclosure, authentication bypass, and potential extraction of sensitive asset management data.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and network segmentation in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available on Packet Storm Security and other sources. Attack requires no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Contact vendor NAPC for updated version or security guidance.

🔧 Temporary Workarounds

Web Application Firewall (WAF) Rules

all

Implement WAF rules to block SQL injection patterns in login requests

Input Validation Filter

all

Add server-side input validation to reject requests containing SQL injection patterns in username field

🧯 If You Can't Patch

  • Isolate the Xinet Elegant system from internet access and restrict internal network access
  • Implement strict network monitoring and alerting for SQL injection attempts on the login endpoint

🔍 How to Verify

Check if Vulnerable:

Test login endpoint with SQL injection payloads containing double quotes in username field. Example: username=" OR 1=1--

Check Version:

Check web interface or application version information, typically in admin panel or about page

Verify Fix Applied:

Verify that SQL injection attempts no longer succeed and proper input validation is implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts with special characters
  • Login attempts containing SQL keywords

Network Indicators:

  • HTTP POST requests to /elegant6/login with SQL injection patterns
  • Unusual database queries originating from web server

SIEM Query:

source="web_server" AND (uri="/elegant6/login" AND (request_body CONTAINS "OR 1=1" OR request_body CONTAINS "UNION SELECT" OR request_body CONTAINS "--"))

📊 Metadata

CVE ID: CVE-2019-19245
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: December 2, 2019
Last Updated: February 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19245, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)