CVE-2019-19986 – This vulnerability allows unauthenticated attac... (How to Fix)

Q: What is the severity of CVE-2019-19986?

CVE-2019-19986 has a CVSS score of 7.5 (HIGH). This vulnerability allows unauthenticated attackers to execute arbitrary SQL SELECT statements via SQL injection in the 'persoid' parameter of the Visual Access Manager (VAM) web interface. It affects Selesta VAM versions 4.15.0 through 4.29. Attackers can extract sensitive database information through error-based SQL injection techniques.

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL SELECT statements via SQL injection in the 'persoid' parameter of the Visual Access Manager (VAM) web interface. It affects Selesta VAM versions 4.15.0 through 4.29. Attackers can extract sensitive database information through error-based SQL injection techniques.

💻 Affected Systems

Products:

Selesta Visual Access Manager (VAM)

Versions: 4.15.0 through 4.29

Operating Systems: Any OS running VAM

Default Config Vulnerable: ⚠️ Yes

Notes: All deployments with the vulnerable versions are affected as this is a code vulnerability in the web application.

📦 What is this software?

Visual Access Manager by Seling

View all CVEs affecting Visual Access Manager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of all user credentials, access logs, and sensitive configuration data, potentially leading to full system takeover.

🟠

Likely Case

Extraction of user credentials, access logs, and sensitive configuration data that could enable further attacks or privilege escalation.

🟢

If Mitigated

Limited information disclosure if proper input validation and WAF rules are in place, though database errors may still leak some information.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Error-based SQL injection is well-documented and easily automated. The vulnerability requires no authentication and affects a web-accessible endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.30.0 or later

Vendor Advisory: https://www.seling.it/

Restart Required: Yes

Instructions:

1. Download VAM version 4.30.0 or later from Selesta website. 2. Backup current installation and database. 3. Stop VAM services. 4. Install the updated version. 5. Restart VAM services. 6. Verify functionality.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection attempts targeting the persoid parameter

# Example ModSecurity rule: SecRule ARGS:persoid "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"

Input Validation Filter

all

Implement input validation to restrict persoid parameter to expected numeric values only

# Example PHP validation: if(!is_numeric($_POST['persoid'])) { die('Invalid input'); }

🧯 If You Can't Patch

Block external access to /tools/VamPersonPhoto.php via firewall rules or web server configuration
Implement strict input validation at the application level to sanitize the persoid parameter

🔍 How to Verify

Check if Vulnerable:

Test by sending a SQL injection payload to the persoid parameter in POST/GET requests to /tools/VamPersonPhoto.php and checking for database error messages in the response

Check Version:

Check VAM web interface login page or admin panel for version information

Verify Fix Applied:

Attempt the same SQL injection test after patching - should receive generic error or no database error messages

📡 Detection & Monitoring

Log Indicators:

Multiple requests to /tools/VamPersonPhoto.php with unusual persoid parameter values
Database error messages in web server logs containing SQL syntax

Network Indicators:

HTTP requests with SQL keywords in persoid parameter
Unusual database query patterns from web server

SIEM Query:

source="web_server" AND uri="/tools/VamPersonPhoto.php" AND (persoid="*' OR *" OR persoid="*UNION*" OR persoid="*SELECT*" OR persoid="*FROM*")

📊 Metadata

CVE ID: CVE-2019-19986

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

Published: February 26, 2020

Last Updated: November 21, 2024

🔗 References

https://www.seling.it/ Product
https://www.seling.it/product/vam/ Product,Vendor Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Exploit,Third Party Advisory
https://www.seling.it/ Product
https://www.seling.it/product/vam/ Product,Vendor Advisory
https://www.telecomitalia.com/tit/it/innovazione/cybersecurity/red-team.html Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-19986, you might also want to check these: