CVE-2019-25515
Authentication Bypass via SQL Injection in Jettweb PHP Script
Publication date: 2026-03-12
Last updated on: 2026-03-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| jettweb | php_stock_news_site_script | 3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2019-25515 is an authentication bypass vulnerability in the Jettweb PHP Hazir Haber Sitesi Scripti version 3.0 and earlier. It occurs in the login.php administration panel due to improper handling of SQL commands, specifically allowing SQL injection (CWE-89).'}, {'type': 'paragraph', 'content': "Attackers can exploit this by submitting crafted SQL syntax, such as using equals signs and 'or' operators as username and password parameters, to bypass authentication and gain administrative access without valid credentials."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows unauthenticated attackers to gain administrative access to the affected system's administration panel."}, {'type': 'paragraph', 'content': 'With administrative access, attackers can control the administration panel, potentially leading to unauthorized changes, data exposure, or further exploitation of the system.'}, {'type': 'paragraph', 'content': 'Because the vulnerability has a high severity score (CVSS 8.7), it poses significant security risks to affected installations.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by testing the login.php administration panel for authentication bypass using crafted SQL syntax. Specifically, attempts to log in with username and password parameters containing equals signs and 'or' operators can indicate the presence of the vulnerability."}, {'type': 'paragraph', 'content': "For detection, you can use tools like curl or Burp Suite to send HTTP POST requests to the login.php endpoint with payloads such as username='=' or 'or' and password='=' or 'or' to check if administrative access is granted without valid credentials."}, {'type': 'list_item', 'content': 'Example curl command to test the vulnerability: curl -X POST -d "username=\'=\' or \'1\'=\'1\'-- &password=\'=\' or \'1\'=\'1\'--" http://targetsite/login.php'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the login.php administration panel by IP whitelisting or network segmentation to prevent unauthorized external access.
Additionally, applying input validation and parameterized queries to the login.php script to prevent SQL injection is critical.
If available, update the Jettweb PHP Hazir Haber Sitesi Scripti to a version that patches this authentication bypass vulnerability.