Login Sign Up

CVE-2019-25454

6.1 MEDIUM
Cross-Site Scripting

📋 TL;DR

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious JavaScript into collection parameters. When users view the affected collection, the malicious script executes in their browsers. Anyone running phpMoAdmin 1.1.5 with internet access is affected.

💻 Affected Systems

Products:
  • phpMoAdmin
Versions: 1.1.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Any installation of phpMoAdmin 1.1.5 is vulnerable by default. The vulnerability requires the moadmin.php endpoint to be accessible.

📦 What is this software?

Phpmoadmin by Phpmoadmin

View all CVEs affecting Phpmoadmin →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, redirect users to malicious sites, perform actions on behalf of authenticated users, or deploy malware through drive-by downloads.

🟠

Likely Case

Session hijacking, credential theft, defacement of the admin interface, or redirection to phishing sites.

🟢

If Mitigated

Limited impact with proper input validation, output encoding, and Content Security Policy headers.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending a GET request with malicious payload in collection parameter. No authentication needed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: None

Vendor Advisory: http://www.phpmoadmin.com/

Restart Required: No

Instructions:

No official patch exists. Remove or replace phpMoAdmin with alternative MongoDB administration tools.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize collection parameter values before processing.

Modify moadmin.php to filter collection parameter: $collection = htmlspecialchars($_GET['collection'], ENT_QUOTES, 'UTF-8');

Access Restriction

linux

Restrict access to moadmin.php to trusted IP addresses only.

Add to .htaccess: Order Deny,Allow
Deny from all
Allow from 192.168.1.0/24

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block XSS payloads in GET parameters
  • Deploy Content Security Policy (CSP) headers to restrict script execution sources

🔍 How to Verify

Check if Vulnerable:

Check if moadmin.php exists and version is 1.1.5. Test by sending GET request: /moadmin.php?collection=<script>alert('XSS')</script>

Check Version:

grep -r 'version' phpmoadmin_files/ or check file headers

Verify Fix Applied:

After applying workarounds, test with same payload. Script should not execute and should be properly encoded in output.

📡 Detection & Monitoring

Log Indicators:

  • GET requests to moadmin.php with script tags in collection parameter
  • Unusual collection names containing JavaScript code

Network Indicators:

  • HTTP requests with <script> tags in URL parameters
  • Multiple requests to moadmin.php from single IP with varying collection parameters

SIEM Query:

source="web_logs" AND url="*moadmin.php*" AND (url="*<script>*" OR url="*javascript:*")

📊 Metadata

CVE ID: CVE-2019-25454
CVSS v3 Score: 6.1 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Published: February 20, 2026
Last Updated: March 2, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25454, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)