CVE-2019-25479

Received Received - Intake

SQL Injection in Inout RealEstate's agentlistdetails Endpoint

Publication date: 2026-03-12

Last updated on: 2026-03-12

Assigner: VulnCheck

Description

Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter. Attackers can send POST requests to the agents/agentlistdetails endpoint with malicious SQL payloads in the city parameter to extract sensitive database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-12

Last Modified

2026-03-12

Generated

2026-06-16

AI Q&A

2026-03-12

EPSS Evaluated

2026-06-15

NVD

CVE-2019-25479

EUVD

EUVD-2019-19768

Affected Vendors & Products

Vendor	Product	Version / Range
inoutscripts	inout_realestate	*

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Detection Guidance

[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted POST requests to the endpoint /agents/agentlistdetails with malicious SQL payloads in the city parameter and observing the response for signs of SQL injection.'}, {'type': 'paragraph', 'content': 'A proof-of-concept payload uses the RLIKE operator with a conditional CASE statement to verify injection success.'}, {'type': 'paragraph', 'content': 'For example, using curl on a Linux system, you can test the vulnerability with a command like:'}, {'type': 'list_item', 'content': 'curl -X POST -d "city=\' RLIKE (CASE WHEN (SELECT 1 FROM users LIMIT 1)=1 THEN \'a\' ELSE \'b\' END) -- " https://targetsite.com/agents/agentlistdetails'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for unusual POST requests to the agents/agentlistdetails endpoint with suspicious city parameter values can also help detect exploitation attempts.'}] [1, 2]

Mitigation Strategies

Immediate mitigation steps include prioritizing patching or updating the Inout RealEstate application to a version that fixes the SQL injection vulnerability.

If a patch is not available, implement input validation and sanitization on the city parameter to prevent SQL injection.

Additionally, restrict access to the agents/agentlistdetails endpoint to trusted users or networks where possible.

Use web application firewalls (WAFs) to detect and block malicious SQL injection payloads targeting this endpoint.

Employ advanced cyber threat intelligence platforms like VulnCheck to detect, prioritize, and remediate this vulnerability effectively.

Executive Summary

[{'type': 'paragraph', 'content': "CVE-2019-25479 is a SQL injection vulnerability in the Inout RealEstate web application. It occurs because the application does not properly neutralize special elements in SQL commands when processing the 'city' parameter in POST requests to the 'agents/agentlistdetails' endpoint."}, {'type': 'paragraph', 'content': "This flaw allows unauthenticated attackers to inject malicious SQL code through the 'city' parameter, which can manipulate database queries and potentially extract sensitive information from the backend database."}] [1, 2]

Impact Analysis

This vulnerability can have a significant impact as it allows attackers to extract sensitive database information without any authentication or user interaction.

Because attackers can manipulate database queries, they may gain unauthorized access to confidential data, which can lead to data breaches, loss of data integrity, and potential exposure of personal or business-critical information.

The vulnerability has a high severity score (CVSS v4 base score of 8.8), indicating a high risk to affected systems.

Compliance Impact

I don't know

Hi! I’m here to help you understand CVE-2019-25479. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2019-25479

SQL Injection in Inout RealEstate's agentlistdetails Endpoint

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart