CVE-2019-25461
SQL Injection in Web Ofisi Platinum E-Ticaret v5 Allows Data Extraction
Publication date: 2026-02-22
Last updated on: 2026-03-10
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| web-ofisi | platinum_e-ticaret | 5.0.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
Web Ofisi Platinum E-Ticaret v5 has an SQL injection vulnerability that allows attackers who are not authenticated to manipulate database queries. This is done by injecting malicious SQL code through the 'q' parameter in POST requests sent to the ajax/productsFilterSearch endpoint.
Attackers can use time-based blind SQL injection techniques to extract sensitive information from the database without needing direct access.
How can this vulnerability impact me? :
This vulnerability can allow attackers to access sensitive database information by exploiting the SQL injection flaw. Since the attack requires no authentication, it poses a high risk of data exposure.
The CVSS v3.1 score of 8.2 indicates a high severity impact, with confidentiality being highly compromised, integrity partially compromised, and availability not affected.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending POST requests to the ajax/productsFilterSearch endpoint with specially crafted payloads in the 'q' parameter to test for SQL injection. Time-based blind SQL injection techniques can be used to confirm the presence of the vulnerability by observing response delays.
For example, you can use curl commands to send POST requests with SQL injection payloads in the 'q' parameter and monitor the response times to detect the vulnerability.
- curl -X POST -d "q=1' OR SLEEP(5)-- " https://target-site/ajax/productsFilterSearch
- curl -X POST -d "q=1' AND IF(SUBSTRING(@@version,1,1)='5', SLEEP(5), 0)-- " https://target-site/ajax/productsFilterSearch
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying input validation and sanitization on the 'q' parameter to prevent SQL injection attacks.
Additionally, restricting or filtering POST requests to the ajax/productsFilterSearch endpoint and implementing web application firewall (WAF) rules to detect and block SQL injection attempts can help mitigate the risk.
Ultimately, updating the Web Ofisi Platinum E-Ticaret software to a version that patches this vulnerability is recommended.