CVE-2019-25439
Received Received - Intake
SQL Injection in NoviSmart CMS Referer Header Enables Data Theft

Publication date: 2026-02-22

Last updated on: 2026-02-22

Assigner: VulnCheck

Description
NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-22
Last Modified
2026-02-22
Generated
2026-06-16
AI Q&A
2026-02-22
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25439
EUVD
EUVD-2019-19593
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
novismart cms to unreleased (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2019-25439 is a high-severity SQL injection vulnerability in NoviSmart CMS that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the HTTP Referer header field.

Attackers craft requests with time-based SQL injection payloads in the Referer header, which can manipulate backend SQL queries to extract sensitive database information or cause denial of service.

Impact Analysis

This vulnerability can allow attackers to extract sensitive information from the database, such as confidential data stored within the CMS.

It can also be exploited to cause denial of service, disrupting the availability of the NoviSmart CMS.

Because the attack requires no privileges or user interaction and can be performed remotely over the network, it poses a significant security risk.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted HTTP requests with malicious payloads in the Referer header and observing the response or timing behavior.'}, {'type': 'paragraph', 'content': 'A common detection method involves using time-based blind SQL injection payloads in the Referer header, such as injecting a conditional SQL statement that causes a delay (e.g., sleep) if the injection is successful.'}, {'type': 'paragraph', 'content': 'For example, you can use curl to send a request with a Referer header containing a time-based payload like: if(now()=sysdate(),sleep(5),0). If the server response is delayed by the sleep duration, it indicates the vulnerability.'}, {'type': 'list_item', 'content': 'curl -H "Referer: \' OR IF(now()=sysdate(),SLEEP(5),0)-- " http://targetsite/'}, {'type': 'list_item', 'content': 'Observe if the response time is significantly increased, indicating successful SQL injection.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include filtering and sanitizing the Referer HTTP header input to prevent SQL injection payloads from being processed by the backend database.

Implement parameterized queries or prepared statements in the NoviSmart CMS codebase to avoid direct injection of user-controlled input into SQL queries.

Additionally, consider deploying a web application firewall (WAF) to detect and block malicious requests containing SQL injection patterns in headers.

If possible, update or patch the NoviSmart CMS to a version that addresses this vulnerability once available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart