CVE-2019-25529
SQL Injection in Placeto CMS Alpha rv.4 Admin Panel
Publication date: 2026-03-12
Last updated on: 2026-03-12
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| placeto | cms_alpha | 4 |
| placeto | cms_alpha | to 0.4a (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "CVE-2019-25529 is an SQL injection vulnerability found in Placeto CMS Alpha revision 0.4a and earlier versions. It occurs in the 'page' parameter of the admin/edit.php endpoint, which allows authenticated attackers to inject malicious SQL code into database queries."}, {'type': 'paragraph', 'content': "Attackers exploit this vulnerability by sending specially crafted GET requests with malicious 'page' values using techniques such as boolean-based blind, time-based blind, and union-based SQL injection. These methods enable attackers to manipulate database queries and extract sensitive information from the database."}] [1, 2]
How can this vulnerability impact me? :
This vulnerability allows an authenticated attacker to manipulate database queries and extract sensitive information accessible to the authorized user.
The impact includes unauthorized disclosure of sensitive data from the database, which can compromise confidentiality. The vulnerability has a high confidentiality impact but low integrity and no availability impact.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by sending specially crafted GET requests to the admin/edit.php endpoint with malicious 'page' parameter values and observing the responses or behavior."}, {'type': 'list_item', 'content': 'Boolean-based blind SQL Injection detection: Use a payload like `page=JyI" AND 1647=1647 AND "svwN"="svwN` to check for true/false conditions.'}, {'type': 'list_item', 'content': 'Time-based blind SQL Injection detection: Use a payload such as `page=JyI" AND SLEEP(5) AND "uIvY"="uIvY` to cause a delay and confirm injection.'}, {'type': 'list_item', 'content': 'Union-based SQL Injection detection: Use a payload like `page=-8388" UNION ALL SELECT NULL,CONCAT(0x716b627671,0x6a636f485445445466517a4a6972635551635179725550617072647371784f6445576b74736849,0x716b6b6b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- CbSf` to extract data.'}, {'type': 'paragraph', 'content': 'These commands require authenticated access and can be executed by sending GET requests to the vulnerable endpoint and analyzing the responses for signs of SQL injection.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
I don't know