CVE-2019-25439
Received Received - Intake

SQL Injection in NoviSmart CMS Referer Header Enables Data Theft

Vulnerability report for CVE-2019-25439, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-22

Last updated on: 2026-02-22

Assigner: VulnCheck

Description

NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-22
Last Modified
2026-02-22
Generated
2026-07-06
AI Q&A
2026-02-22
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
novismart cms to unreleased (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2019-25439 is a high-severity SQL injection vulnerability in NoviSmart CMS that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the HTTP Referer header field.

Attackers craft requests with time-based SQL injection payloads in the Referer header, which can manipulate backend SQL queries to extract sensitive database information or cause denial of service.

Impact Analysis

This vulnerability can allow attackers to extract sensitive information from the database, such as confidential data stored within the CMS.

It can also be exploited to cause denial of service, disrupting the availability of the NoviSmart CMS.

Because the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant security risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted HTTP requests with malicious payloads in the Referer header and observing the response or timing behavior.'}, {'type': 'paragraph', 'content': 'A common detection method involves using time-based blind SQL injection payloads in the Referer header, such as injecting a conditional SQL statement that causes a delay (e.g., sleep) if the injection is successful.'}, {'type': 'paragraph', 'content': 'For example, you can use curl to send a request with a Referer header containing a time-based payload like: if(now()=sysdate(),sleep(5),0). If the server response is delayed by the sleep duration, it indicates the vulnerability.'}, {'type': 'list_item', 'content': 'curl -H "Referer: \' OR IF(now()=sysdate(),SLEEP(5),0)-- " http://targetsite/'}, {'type': 'list_item', 'content': 'Observe if the response time is significantly increased, indicating successful SQL injection.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include filtering and sanitizing the Referer HTTP header input to prevent SQL injection payloads from being processed by the backend database.

Implement parameterized queries or prepared statements in the NoviSmart CMS codebase to avoid direct injection of user-controlled input into SQL queries.

Additionally, consider deploying a web application firewall (WAF) to detect and block malicious requests containing SQL injection patterns in headers.

If possible, update or patch the NoviSmart CMS to a version that addresses this vulnerability once available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart