CVE-2019-25522
SQL Injection in XooGallery photo.php Allows Data Manipulation
Publication date: 2026-03-12
Last updated on: 2026-03-23
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| xooscripts | xoogallery | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'CVE-2019-25522 affects XooGallery Latest and involves multiple SQL injection vulnerabilities in the photo.php script.'}, {'type': 'paragraph', 'content': 'These vulnerabilities allow unauthenticated attackers to manipulate SQL queries by injecting malicious SQL code through the "photo_id" parameter in GET requests.'}, {'type': 'paragraph', 'content': 'Exploiting this flaw enables attackers to extract sensitive data, bypass authentication mechanisms, or modify database contents.'}] [1]
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive data, bypassing authentication controls, and unauthorized modification of database contents.
Because attackers do not need to be authenticated to exploit this flaw, it increases the risk of data breaches and potential loss of data integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted GET requests to the photo.php script with malicious values in the photo_id parameter to test for SQL injection.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar tools to send requests and observe if the application returns database errors or unexpected data.'}, {'type': 'list_item', 'content': 'curl "http://targetsite/photo.php?photo_id=1\' OR \'1\'=\'1"'}, {'type': 'list_item', 'content': 'curl "http://targetsite/photo.php?photo_id=1 UNION SELECT null, version(), null-- "'}, {'type': 'paragraph', 'content': 'If the responses contain database errors or reveal database version or other sensitive data, it indicates the presence of the SQL injection vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include applying input validation and sanitization on the photo_id parameter to prevent SQL injection.
Additionally, updating XooGallery Latest to a version where this vulnerability is fixed is recommended.
If patching is not immediately possible, consider implementing a Web Application Firewall (WAF) to block malicious requests targeting the photo_id parameter.
Restricting direct access to photo.php or limiting GET requests with suspicious parameters can also help reduce risk.