Login Sign Up

CVE-2019-9083

9.8 CRITICAL
SQL Injection

📋 TL;DR

SQLiteManager versions 1.20 and 1.24 contain a SQL injection vulnerability in the dbsel parameter of main.php. This allows attackers to execute arbitrary SQL commands on the database. Since the product is discontinued, affected users remain vulnerable unless they implement workarounds.

💻 Affected Systems

Products:
  • SQLiteManager
Versions: 1.20, 1.24
Operating Systems: All platforms running PHP
Default Config Vulnerable: ⚠️ Yes
Notes: Product is discontinued with no official patches available. Any installation using these versions is vulnerable.

📦 What is this software?

Sqlitemanager by Sqlitemanager

View all CVEs affecting Sqlitemanager →

Sqlitemanager by Sqlitemanager

View all CVEs affecting Sqlitemanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, or deletion of entire databases. Could lead to full system compromise if database privileges allow file system access.

🟠

Likely Case

Unauthorized data access and extraction from SQLite databases managed by the application. Attackers can read, modify, or delete database contents.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting SQL injection attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via URL parameter requires minimal technical skill. Public exploit details available in disclosure.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: N/A

Vendor Advisory: N/A

Restart Required: No

Instructions:

No official patch available since product is discontinued. Migrate to alternative SQLite management tools.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the dbsel parameter before processing

Modify main.php to validate dbsel parameter using preg_match('/^[a-zA-Z0-9_-]+$/', $_GET['dbsel']) or similar

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure ModSecurity with OWASP CRS rules
Enable SQL injection protection in cloud WAF services

🧯 If You Can't Patch

  • Remove SQLiteManager from internet-facing systems immediately
  • Restrict access to SQLiteManager using network segmentation and firewall rules

🔍 How to Verify

Check if Vulnerable:

Check if SQLiteManager version is 1.20 or 1.24 by examining application files or version metadata

Check Version:

grep -r 'version.*1\.20\|1\.24' /path/to/sqlitemanager/ or check main.php header comments

Verify Fix Applied:

Test dbsel parameter with SQL injection payloads like ' OR '1'='1 and verify no database interaction occurs

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • HTTP requests with SQL keywords in dbsel parameter
  • Multiple failed login attempts or database errors

Network Indicators:

  • HTTP requests containing SQL injection patterns to main.php
  • Unusual outbound database connections from web server

SIEM Query:

source="web_logs" AND uri="/sqlitemanager/main.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "OR '1'='1'")

📊 Metadata

CVE ID: CVE-2019-9083
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 21, 2019
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-9083, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)