Plattform
php
Komponente
ask-expert-script
Behoben in
3.0.6
CVE-2019-25676 describes a SQL Injection vulnerability discovered in Ask Expert Script, version 3.0.5. This flaw allows unauthenticated attackers to inject malicious SQL code, potentially leading to data breaches and system compromise. The vulnerability impacts versions 3.0.5–3.0.5, and a patch is expected to be released by the vendor.
The SQL Injection vulnerability in Ask Expert Script poses a significant risk. An attacker could exploit this flaw to bypass authentication and directly manipulate the database. Successful exploitation could lead to the extraction of sensitive data, including user credentials, personal information, and potentially even system configuration details. Furthermore, an attacker might be able to execute arbitrary SQL commands, potentially leading to data modification, deletion, or even complete system takeover. The impact is amplified if the database contains critical business data or connects to other sensitive systems.
CVE-2019-25676 was published on 2026-04-05. Public proof-of-concept exploits are not currently known, but the SQL Injection vulnerability is well-understood and easily exploitable. The vulnerability's ease of exploitation, combined with the potential for significant data compromise, warrants careful attention. It is not currently listed on the CISA KEV catalog.
Websites and applications utilizing the Ask Expert Script version 3.0.5 are at risk. This includes smaller businesses and organizations that may rely on this script for customer support or product information display. Shared hosting environments where multiple websites share the same server instance are particularly vulnerable, as a compromise of one site could potentially lead to the compromise of others.
• php / web:
grep -r "cateid=.*?;" /var/www/html/categorysearch.php
grep -r "view=.*?;" /var/www/html/list-details.php• generic web:
curl -I 'http://your-site.com/categorysearch.php?cateid=';
curl -I 'http://your-site.com/list-details.php?view=';disclosure
Exploit-Status
EPSS
0.13% (32% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2019-25676 is to upgrade to a patched version of Ask Expert Script as soon as it becomes available. Until a patch is released, consider implementing temporary workarounds such as input validation and sanitization on the cateid and view parameters in categorysearch.php and list-details.php respectively. Web Application Firewalls (WAFs) configured to detect and block SQL Injection attempts can also provide a layer of protection. Monitor web server access logs for suspicious SQL injection attempts, looking for unusual characters or patterns in the URL parameters.
Actualice a una versión corregida del script Ask Expert. Verifique el sitio web del proveedor o los foros de soporte para obtener información sobre las actualizaciones disponibles. Como no se proporciona una versión corregida, considere deshabilitar o eliminar el script hasta que se publique una actualización.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2019-25676 is a SQL Injection vulnerability affecting Ask Expert Script versions 3.0.5–3.0.5, allowing attackers to inject malicious SQL code via URL parameters.
If you are using Ask Expert Script version 3.0.5–3.0.5, you are potentially affected by this vulnerability. Upgrade to a patched version as soon as possible.
The recommended fix is to upgrade to a patched version of Ask Expert Script. If immediate upgrade is not possible, implement input validation and sanitization on vulnerable parameters.
There is no public evidence of CVE-2019-25676 being actively exploited, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the vendor's website or security advisories for the latest information and updates regarding CVE-2019-25676.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.