CVE-2019-25732
PHP SQL Injection in EI-Tube Script
Publication date: 2026-06-04
Last updated on: 2026-06-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2019-25732 is a SQL injection vulnerability in PHP EI-Tube Script 3 that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the search parameter.
Attackers exploit this by sending specially crafted GET requests to the search endpoint with malicious SQL payloads in the query parameter.
This enables them to extract sensitive information from the database, such as usernames, passwords, and version details.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows attackers to extract sensitive database information including usernames and passwords through SQL injection. This unauthorized access to confidential data can lead to violations of data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information from unauthorized disclosure.
By exposing sensitive user data, the vulnerability increases the risk of non-compliance with standards that mandate data confidentiality, integrity, and access controls.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL injection vulnerability in PHP EI-Tube Script 3, immediate steps include restricting or sanitizing input to the search parameter to prevent injection of malicious SQL code.
Additionally, it is advisable to implement proper input validation and use parameterized queries or prepared statements to avoid direct injection of user input into SQL queries.
If possible, temporarily disable or restrict access to the vulnerable search endpoint until a patch or update is applied.
Monitoring and logging suspicious GET requests to the search endpoint can help detect exploitation attempts.
How can this vulnerability impact me? :
This vulnerability can have serious impacts as it allows attackers to gain unauthorized access to confidential data stored in the database.
- Extraction of sensitive information like usernames and passwords.
- Exposure of database version and other internal details that could aid further attacks.
Such unauthorized access can lead to data breaches, loss of user trust, and potential compromise of the entire system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending crafted GET requests to the search endpoint with malicious SQL payloads in the query parameter and observing the response for signs of SQL injection.
For example, you can test the search parameter by appending SQL injection payloads such as "-999" followed by SQL commands or using union-based SQL injection payloads to see if the application returns database information like usernames or version details.
A sample command to test might be using curl to send a GET request with a crafted payload:
- curl "http://targetsite.com/search.php?query=-999' UNION SELECT user(), version(), database()-- "
If the response contains database information or error messages related to SQL syntax, it indicates the presence of the SQL injection vulnerability.