CVE-2019-25346
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2026-02-12

Last updated on: 2026-03-02

Assigner: VulnCheck

Description
TheSystem 1.0 contains a SQL injection vulnerability that allows attackers to bypass authentication by manipulating the 'server_name' parameter. Attackers can inject malicious SQL code like ' or '1=1 to retrieve unauthorized database records and potentially access sensitive system information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-03-02
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25346
EUVD
EUVD-2019-19484
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kostasmitroglou password_management_application 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The vulnerability is a SQL injection in TheSystem 1.0 application, specifically in the 'server_name' parameter of a POST request to the /data/ endpoint."}, {'type': 'paragraph', 'content': "Attackers can manipulate this parameter by injecting malicious SQL code such as ' or '1=1, which allows them to bypass authentication mechanisms."}, {'type': 'paragraph', 'content': 'This happens because the application does not enforce proper login checks (login_required is not used), enabling unauthorized users to access database information.'}] [1]

Impact Analysis

This vulnerability can allow attackers to bypass authentication and gain unauthorized access to sensitive database records.

As a result, attackers may retrieve confidential system information, potentially leading to data breaches or further exploitation of the system.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by sending a specially crafted POST request to the /data/ endpoint with the 'server_name' parameter containing SQL injection payloads such as ' or '1=1."}, {'type': 'paragraph', 'content': "For example, you can use curl to test the vulnerability by sending a multipart/form-data POST request with the 'server_name' parameter set to a SQL injection string."}, {'type': 'list_item', 'content': 'curl -X POST http://target-system/data/ -F "server_name=\' or \'1=1"'}, {'type': 'paragraph', 'content': 'If the response includes database entries or unauthorized data, it indicates the presence of the vulnerability.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart