CVE-2019-25726
SQL Injection in All in One Video Downloader
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| niche_office | all_in_one_video_downloader | to 1.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25726 is a SQL injection vulnerability found in All in One Video Downloader version 1.2. It allows unauthenticated attackers to inject malicious SQL code through the 'id' parameter in the admin page-edit functionality. This flaw occurs because the input is not properly sanitized, enabling attackers to execute arbitrary SQL queries.
By exploiting this vulnerability, attackers can use UNION-based SQL injection payloads to extract sensitive information from the database, such as usernames, database names, and version details.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending specially crafted HTTP requests to the admin interface of the All in One Video Downloader version 1.2, targeting the 'id' parameter with UNION-based SQL injection payloads.
A common detection method involves using tools like curl or sqlmap to test for SQL injection by injecting SQL payloads into the 'id' parameter of the admin page-edit URL.
- Using curl to test for SQL injection: curl -v "http://target-site/admin/page-edit?id=1' UNION SELECT NULL--"
- Using sqlmap to automate detection: sqlmap -u "http://target-site/admin/page-edit?id=1" --batch
Successful exploitation or detection typically reveals database information such as usernames, database names, or version details in the response.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the admin interface to trusted users only, such as by IP whitelisting or authentication enforcement.
Additionally, applying input validation and sanitization on the 'id' parameter to prevent SQL injection is critical.
If possible, update the All in One Video Downloader software to a version that patches this vulnerability or apply any available security patches.
As a temporary measure, monitoring and blocking suspicious requests containing SQL injection payloads targeting the 'id' parameter can help reduce risk.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive database information. Attackers can retrieve critical data such as database usernames, database names, and version information.
Such information disclosure can lead to further attacks, including privilege escalation, data theft, or manipulation of the database contents.
Because the vulnerability is exploitable without authentication and has a high severity score (CVSS 8.8), it poses a significant security risk to affected systems.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in All in One Video Downloader 1.2 allows unauthenticated attackers to extract sensitive database information such as usernames and database details. This exposure of sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access.
By enabling attackers to access sensitive data through SQL injection, the vulnerability increases the risk of data breaches, which can result in legal and financial penalties under these regulations.