CVE-2019-25515
Received Received - Intake
Authentication Bypass via SQL Injection in Jettweb PHP Script

Publication date: 2026-03-12

Last updated on: 2026-03-17

Assigner: VulnCheck

Description
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. Attackers can bypass authentication by submitting equals signs and 'or' operators as username and password parameters to access the administration panel without valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-12
Last Modified
2026-03-17
Generated
2026-06-16
AI Q&A
2026-03-12
EPSS Evaluated
2026-06-15
NVD
CVE-2019-25515
EUVD
EUVD-2019-19790
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
jettweb php_stock_news_site_script 3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2019-25515 is an authentication bypass vulnerability in the Jettweb PHP Hazir Haber Sitesi Scripti version 3.0 and earlier. It occurs in the login.php administration panel due to improper handling of SQL commands, specifically allowing SQL injection (CWE-89).'}, {'type': 'paragraph', 'content': "Attackers can exploit this by submitting crafted SQL syntax, such as using equals signs and 'or' operators as username and password parameters, to bypass authentication and gain administrative access without valid credentials."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows unauthenticated attackers to gain administrative access to the affected system's administration panel."}, {'type': 'paragraph', 'content': 'With administrative access, attackers can control the administration panel, potentially leading to unauthorized changes, data exposure, or further exploitation of the system.'}, {'type': 'paragraph', 'content': 'Because the vulnerability has a high severity score (CVSS 8.7), it poses significant security risks to affected installations.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the login.php administration panel for authentication bypass using crafted SQL syntax. Specifically, attempts to log in with username and password parameters containing equals signs and 'or' operators can indicate the presence of the vulnerability."}, {'type': 'paragraph', 'content': "For detection, you can use tools like curl or Burp Suite to send HTTP POST requests to the login.php endpoint with payloads such as username='=' or 'or' and password='=' or 'or' to check if administrative access is granted without valid credentials."}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST -d "username=\'=\' or \'1\'=\'1\'-- &password=\'=\' or \'1\'=\'1\'--" http://targetsite/login.php'}] [1]

Mitigation Strategies

Immediate mitigation steps include restricting access to the login.php administration panel by IP whitelisting or network segmentation to prevent unauthorized external access.

Additionally, applying input validation and parameterized queries to the login.php script to prevent SQL injection is critical.

If available, update the Jettweb PHP Hazir Haber Sitesi Scripti to a version that patches this authentication bypass vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart