CVE-2019-25479
SQL Injection in Inout RealEstate's agentlistdetails Endpoint
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inoutscripts | inout_realestate | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted POST requests to the endpoint /agents/agentlistdetails with malicious SQL payloads in the city parameter and observing the response for signs of SQL injection.'}, {'type': 'paragraph', 'content': 'A proof-of-concept payload uses the RLIKE operator with a conditional CASE statement to verify injection success.'}, {'type': 'paragraph', 'content': 'For example, using curl on a Linux system, you can test the vulnerability with a command like:'}, {'type': 'list_item', 'content': 'curl -X POST -d "city=\' RLIKE (CASE WHEN (SELECT 1 FROM users LIMIT 1)=1 THEN \'a\' ELSE \'b\' END) -- " https://targetsite.com/agents/agentlistdetails'}, {'type': 'paragraph', 'content': 'Monitoring network traffic for unusual POST requests to the agents/agentlistdetails endpoint with suspicious city parameter values can also help detect exploitation attempts.'}] [1, 2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include prioritizing patching or updating the Inout RealEstate application to a version that fixes the SQL injection vulnerability.
If a patch is not available, implement input validation and sanitization on the city parameter to prevent SQL injection.
Additionally, restrict access to the agents/agentlistdetails endpoint to trusted users or networks where possible.
Use web application firewalls (WAFs) to detect and block malicious SQL injection payloads targeting this endpoint.
Employ advanced cyber threat intelligence platforms like VulnCheck to detect, prioritize, and remediate this vulnerability effectively.
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2019-25479 is a SQL injection vulnerability in the Inout RealEstate web application. It occurs because the application does not properly neutralize special elements in SQL commands when processing the 'city' parameter in POST requests to the 'agents/agentlistdetails' endpoint."}, {'type': 'paragraph', 'content': "This flaw allows unauthenticated attackers to inject malicious SQL code through the 'city' parameter, which can manipulate database queries and potentially extract sensitive information from the backend database."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability can have a significant impact as it allows attackers to extract sensitive database information without any authentication or user interaction.
Because attackers can manipulate database queries, they may gain unauthorized access to confidential data, which can lead to data breaches, loss of data integrity, and potential exposure of personal or business-critical information.
The vulnerability has a high severity score (CVSS v4 base score of 8.8), indicating a high risk to affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know