CVE-2019-25504
SQL Injection in NCrypted Jobgator Agents Find-Jobs Endpoint
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ncrypted | jobgator | to latest (inc) |
| ncrypted | jobgator | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2019-25504 is a high-severity SQL injection vulnerability in NCrypted Jobgator. It allows unauthenticated attackers to inject malicious SQL code through the "experience" parameter in POST requests sent to the agents Find-Jobs endpoint.'}, {'type': 'paragraph', 'content': 'By exploiting this vulnerability, attackers can manipulate database queries and extract sensitive information from the database without needing any privileges or user interaction.'}] [1, 2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability can lead to unauthorized access to sensitive database information. Attackers can extract confidential data by manipulating SQL queries through the vulnerable "experience" parameter.'}, {'type': 'paragraph', 'content': 'Since the attack requires no authentication or user interaction, it poses a significant risk of data breach and exposure of sensitive information.'}] [1, 2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted POST requests to the vulnerable endpoint and observing the response for signs of SQL injection.'}, {'type': 'paragraph', 'content': 'A typical detection command involves sending a POST request to the /agents/Find-Jobs endpoint with a malicious payload in the experience parameter to test for SQL injection.'}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST https://[target]/agents/Find-Jobs -d "btnsearch=Search&experience=1" OR NOT 4365=4365#&job_title=Mr.&location=1"'}, {'type': 'paragraph', 'content': 'If the response indicates database errors or returns unexpected data, it suggests the presence of the SQL injection vulnerability.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include sanitizing and validating all user inputs, especially the experience parameter in POST requests to the agents Find-Jobs endpoint.
Implement prepared statements or parameterized queries to prevent SQL injection attacks.
Restrict access to the vulnerable endpoint if possible, and monitor network traffic for suspicious POST requests targeting the experience parameter.
Apply any available patches or updates from the vendor once released.