Platform
php
Component
eclass-platform
Fixed in
2.25.10.2.1
CVE-2019-9885 describes a critical SQL Injection vulnerability affecting the eClass platform. This flaw allows attackers to inject malicious SQL commands, potentially granting unauthorized access to sensitive data and compromising the entire system. The vulnerability impacts versions of eClass up to and including 2.25.10.2.1. A patch is available in version 2.25.10.2.1.
Successful exploitation of CVE-2019-9885 could allow an attacker to bypass authentication and directly manipulate the database. This could lead to unauthorized access to student records, grades, administrative data, and potentially even system configuration files. An attacker could extract sensitive information, modify data, or even gain control of the underlying database server. The blast radius extends to any data stored within the eClass database, making this a high-impact vulnerability. While no direct precedent is immediately obvious, SQL injection vulnerabilities are frequently exploited to gain persistent access and escalate privileges.
CVE-2019-9885 was publicly disclosed on July 25, 2019. The vulnerability is considered highly exploitable due to the ease of injecting SQL commands through a publicly accessible parameter. No active exploitation campaigns have been publicly reported at the time of this writing, but the vulnerability remains a significant risk due to its severity and ease of exploitation. It is not listed on the CISA KEV catalog.
Exploit Status
EPSS
0.63% (70% percentile)
CVSS Vector
The primary mitigation for CVE-2019-9885 is to immediately upgrade the eClass platform to version 2.25.10.2.1 or later. If upgrading is not immediately feasible, consider implementing input validation and sanitization on the StudentID parameter in /admin/academic/studenview_left.php to prevent SQL injection attempts. Web application firewalls (WAFs) configured to detect and block SQL injection payloads can also provide a temporary layer of protection. Regularly review and audit database access controls to ensure least privilege is enforced.
Update the eClass platform to version 2.25.10.2.1 or higher. This update corrects the (SQL Injection) vulnerability in the StudentID parameter of /admin/academic/studenview_left.php.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2019-9885 is a critical SQL Injection vulnerability in eClass platform versions up to 2.25.10.2.1, allowing attackers to execute SQL commands via a vulnerable parameter.
You are affected if you are running eClass platform versions prior to 2.25.10.2.1. Immediately check your version and upgrade if necessary.
Upgrade to eClass platform version 2.25.10.2.1 or later to resolve this vulnerability. Implement input validation as a temporary workaround if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation make it a significant risk.
Refer to the eClass security advisories on their official website for detailed information and updates regarding CVE-2019-9885.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.