CVE-2019-25676

Received Received - Intake

Cross-Site Scripting and SQL Injection in Ask Expert

Publication date: 2026-04-05

Last updated on: 2026-04-20

Assigner: VulnCheck

Description

Ask Expert Script 3.0.5 contains cross-site scripting and SQL injection vulnerabilities that allow unauthenticated attackers to inject malicious code by manipulating URL parameters. Attackers can inject script tags through the cateid parameter in categorysearch.php or SQL code through the view parameter in list-details.php to execute arbitrary code or extract database information.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-04-05

Last Modified

2026-04-20

Generated

2026-05-07

AI Q&A

2026-04-06

EPSS Evaluated

2026-05-05

NVD

CVE-2019-25676

Affected Vendors & Products

Vendor	Product	Version / Range
phpscriptsmall	ask_expert_script	3.0.5

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-79	The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-79

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Powered Q&A

Can you explain this vulnerability to me?

The vulnerability in Ask Expert Script 3.0.5 involves cross-site scripting (XSS) and SQL injection issues. Unauthenticated attackers can exploit these by manipulating URL parameters. Specifically, they can inject malicious script tags through the 'cateid' parameter in the categorysearch.php file, leading to cross-site scripting attacks. Additionally, they can inject SQL code through the 'view' parameter in list-details.php, which can allow execution of arbitrary code or extraction of database information.

How can this vulnerability impact me? :

This vulnerability can have serious impacts including unauthorized execution of malicious scripts in users' browsers (via XSS), which can lead to session hijacking, defacement, or redirection to malicious sites. The SQL injection aspect can allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized access to sensitive database information, data leakage, or manipulation of the database.

Ask Our AI Assistant

Need more information? Ask your question to get an AI reply (Powered by our expertise)

0/70

CVE-2019-25676

Cross-Site Scripting and SQL Injection in Ask Expert

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Powered Q&A

Ask Our AI Assistant

EPSS Chart