CVE-2019-25640
Received Received - Intake
SQL Injection in Inout Article Base CMS Allows Data Theft

Publication date: 2026-03-24

Last updated on: 2026-03-24

Assigner: VulnCheck

Description
Inout Article Base CMS contains SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the 'p' and 'u' parameters. Attackers can inject SQL code using XOR-based payloads in GET requests to portalLogin.php to extract sensitive database information or cause denial of service through time-based attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-24
Last Modified
2026-03-24
Generated
2026-06-16
AI Q&A
2026-03-24
EPSS Evaluated
2026-06-14
NVD
CVE-2019-25640
EUVD
EUVD-2019-20020
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
inoutscripts inout_article_base_cms to 2019 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2019-25640 is a SQL injection vulnerability in the Inout Article Base CMS, specifically in the portalLogin.php script. It affects the 'p' and 'u' GET parameters, which are not properly sanitized. Attackers can inject XOR-based SQL payloads through these parameters to manipulate database queries."}, {'type': 'paragraph', 'content': 'This allows unauthenticated attackers to execute arbitrary SQL commands, potentially extracting sensitive information from the database or causing denial of service through time-based SQL injection attacks.'}] [1, 2]

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information, which may include user data or other confidential content stored in the CMS.

Additionally, attackers can cause denial of service by exploiting time-based SQL injection techniques, potentially disrupting the availability of the web application.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This SQL injection vulnerability can be detected by sending specially crafted GET requests to the portalLogin.php script, targeting the 'p' and 'u' parameters with XOR-based timing payloads."}, {'type': 'list_item', 'content': "Example command to test the 'p' parameter: portalLogin.php?d=65ded5353c5ee48d0b7d48c591b8f430&p=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z&u=test"}, {'type': 'list_item', 'content': "Example command to test the 'u' parameter: portalLogin.php?d=65ded5353c5ee48d0b7d48c591b8f430&p=fe01ce2a7fbac8fafaed7c982a04e229&u=0'XOR(if(now()=sysdate(),sleep(0),0))XOR'Z"}, {'type': 'paragraph', 'content': 'These commands use timing-based SQL injection payloads to detect if the application is vulnerable by observing response delays caused by the sleep function.'}] [1]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2019-25640. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart