CVE-2019-25460
SQL Injection in Web Ofisi Platinum E-Ticaret v5 Allows Data Extraction
Publication date: 2026-02-22
Last updated on: 2026-03-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| web-ofisi | platinum_e-ticaret | 5.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The vulnerability in Web Ofisi Platinum E-Ticaret v5 is an SQL injection flaw that allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code through the 'q' GET parameter."}, {'type': 'paragraph', 'content': "Attackers exploit this by sending specially crafted requests to the 'arama' endpoint with malicious 'q' values using time-based SQL injection techniques. This enables them to extract sensitive information from the database by observing response delays caused by the injected SQL commands."}] [1]
How can this vulnerability impact me? :
This vulnerability can allow attackers to access and extract sensitive database information without authentication.
By exploiting the SQL injection, attackers can manipulate database queries, potentially leading to unauthorized data disclosure, data integrity issues, and loss of confidentiality.
The CVSS v3.1 score of 8.2 (High) and v4.0 score of 8.8 indicate a severe impact, especially on confidentiality, with limited impact on integrity and no impact on availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending specially crafted HTTP requests to the vulnerable endpoint and observing the response behavior, particularly using time-based SQL injection techniques.'}, {'type': 'list_item', 'content': "Send a GET request to the /arama endpoint with the 'q' parameter set to the payload: 0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z. If the response is delayed, it indicates the presence of the vulnerability."}, {'type': 'list_item', 'content': "Send a POST request to the /ajax/productsFilterSearch endpoint with the 'q' parameter in the POST data set to: kategori=&pageType=arama&q=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z&sayfa=1. Observe for response delays to confirm the vulnerability."}] [1]
What immediate steps should I take to mitigate this vulnerability?
I don't know