Login Sign Up

CVE-2019-25517

8.2 HIGH
SQL Injection

📋 TL;DR

Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an unauthenticated SQL injection vulnerability in the haberarsiv.php file via the cid parameter. Attackers can execute arbitrary SQL queries to extract sensitive data like user credentials or modify database contents. All websites using this specific script version are affected.

💻 Affected Systems

Products:
  • Jettweb PHP Hazir Haber Sitesi Scripti
Versions: V1
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects the specific Jettweb PHP Hazir Haber Sitesi Scripti V1. Other versions or scripts are not vulnerable.

📦 What is this software?

Php Stock News Site Script by Jettweb

View all CVEs affecting Php Stock News Site Script →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data destruction, or remote code execution if database permissions allow.

🟠

Likely Case

Extraction of sensitive information like admin credentials, user data, or database schema leading to further system compromise.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit code is publicly available on Exploit-DB and other sources. Attack requires no authentication and uses simple UNION-based SQL injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

1. Replace vulnerable script with updated version if available. 2. Manually patch haberarsiv.php to sanitize cid parameter input. 3. Implement parameterized queries or input validation.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the cid parameter before processing

Modify haberarsiv.php to include: $cid = intval($_GET['cid']);

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: Detect and block UNION SELECT patterns in URL parameters

🧯 If You Can't Patch

  • Isolate the vulnerable system from internet access
  • Implement strict network segmentation and monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test by sending request to haberarsiv.php?cid=1 UNION SELECT 1,2,3-- and checking for database errors or unexpected output

Check Version:

Check script files for version information or consult documentation

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Multiple requests to haberarsiv.php with UNION, SELECT, or other SQL keywords in cid parameter
  • Database error messages in web server logs

Network Indicators:

  • HTTP requests containing SQL injection payloads in URL parameters
  • Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND url="*haberarsiv.php*" AND (url="*UNION*" OR url="*SELECT*" OR url="*--*" OR url="*'*" OR url="*;*")

📊 Metadata

CVE ID: CVE-2019-25517
CVSS v3 Score: 8.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CWE: CWE-89
Published: March 12, 2026
Last Updated: March 17, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-25517, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)