CVE-2019-25675: eDirectory SQL Injection - Admin Bypass
Platform
php
Component
edirectory
CVE-2019-25675 represents a critical SQL Injection vulnerability discovered in eDirectory versions 1.0.0 through 1.0. This flaw allows unauthenticated attackers to inject malicious SQL code, potentially bypassing administrator authentication and leading to the disclosure of sensitive files. The vulnerability stems from improper input validation within the login endpoint and subsequent file handling processes. As of the last update, no official patch has been released to address this security concern.
How to fix
Actualice a la última versión disponible de eDirectory, ya que la vulnerabilidad de inyección SQL de autenticación bypass afecta a todas las versiones. Revise y fortalezca las medidas de seguridad, incluyendo la validación y sanitización de entradas de usuario en el endpoint de inicio de sesión y en el manejo de archivos.
Frequently asked questions
What is CVE-2019-25675?
CVE-2019-25675 is a SQL Injection vulnerability in eDirectory (versions 1.0.0–1.0) that allows attackers to bypass administrator authentication and potentially disclose sensitive files by injecting SQL code into parameters.
Am I affected by CVE-2019-25675?
You are potentially affected if you are running eDirectory versions 1.0.0 through 1.0 and have not applied a patch. This vulnerability is particularly concerning as it allows unauthenticated access.
How can I fix or mitigate CVE-2019-25675?
Currently, no official patch is available for CVE-2019-25675. Mitigation strategies include isolating the eDirectory server, implementing strict network segmentation, and carefully reviewing all input validation routines.
Monitor your dependencies automatically
Get notified when new vulnerabilities affect your projects. Free forever.
Start free