CVE-2019-25536
SQL Injection in Netartmedia PHP Real Estate Agency 4.0 Allows Data Theft
Publication date: 2026-03-12
Last updated on: 2026-04-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netartmedia | real_estate_portal | 4.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25536 is a SQL injection vulnerability in Netartmedia PHP Real Estate Agency version 4.0. It allows unauthenticated attackers to inject arbitrary SQL code through the features[] parameter in POST requests to the index.php script.
By exploiting this vulnerability, attackers can manipulate the SQL queries executed by the application, potentially extracting sensitive database information or altering database behavior.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to sensitive data stored in the database, such as user information or property listings.
Attackers can also manipulate database queries, which might result in data corruption or unauthorized data modification.
Since the attack requires no authentication or user interaction, it poses a significant risk to the confidentiality and integrity of the applicationβs data.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This SQL injection vulnerability can be detected by sending crafted POST requests to the index.php script targeting the features[] parameter with SQL payloads that cause observable effects, such as time delays.'}, {'type': 'paragraph', 'content': 'A common detection method is to use a time-based blind SQL injection payload that uses the sleep() function to delay the server response if the injection is successful.'}, {'type': 'paragraph', 'content': 'For example, you can use curl or similar tools to send a POST request with the following payload in the features[] parameter:'}, {'type': 'list_item', 'content': 'features[]=(select(0)from(select(sleep(5)))v)/*\'+(select(0)from(select(sleep(5)))v)+\'"+(select(0)from(select(sleep(5)))v)+\'"*/'}, {'type': 'paragraph', 'content': 'If the server response is delayed by approximately 5 seconds, it indicates the presence of the SQL injection vulnerability.'}, {'type': 'paragraph', 'content': 'A sample curl command to test this might be:'}, {'type': 'list_item', 'content': 'curl -X POST -d "features[]=(select(0)from(select(sleep(5)))v)" -d "other_parameters=values" http://target-site/index.php'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Restrict or block access to the vulnerable index.php script, especially POST requests containing the features[] parameter, until a patch or fix is applied.
- Implement input validation and sanitization on the features[] parameter to prevent SQL injection payloads.
- Use prepared statements or parameterized queries in the application code to safely handle user inputs.
- Monitor logs for suspicious POST requests targeting the features[] parameter.
- Apply any available patches or updates from the vendor or consider upgrading to a non-vulnerable version.