無料スキャン
CRITICALCVE-2019-25456CVSS 9.1

Web Ofisi Emlak v2 SQL Injection via ara Parameter

翻訳中…

プラットフォーム

php

コンポーネント

web-ofisi-emlak

修正版

2.0.1

AI Confidence: highNVDEPSS 0.1%レビュー済み: 2026年5月
NVDで見る
保存
あなたの言語に翻訳中…

CVE-2019-25456 describes a critical SQL Injection vulnerability discovered in Web Ofisi Emlak, version 2.0.0–v2. This flaw allows unauthenticated attackers to inject malicious SQL code through the 'ara' GET parameter, potentially leading to unauthorized data access and denial-of-service. A patch is available in version 2.5.4, and users are strongly advised to upgrade immediately.

影響と攻撃シナリオ翻訳中…

The SQL Injection vulnerability in Web Ofisi Emlak presents a significant risk. An attacker can leverage this flaw to bypass authentication and directly manipulate database queries. This could result in the extraction of sensitive data, including user credentials, financial information, or other confidential records stored within the database. Furthermore, the attacker could execute arbitrary SQL commands, potentially leading to data corruption, modification, or complete deletion. The impact extends beyond data theft; a successful attack could render the application unusable, causing a denial-of-service condition. While no specific real-world exploitation has been publicly reported, the ease of exploitation and the potential for severe consequences make this a high-priority vulnerability.

悪用の状況翻訳中…

CVE-2019-25456 was published on 2026-02-22. There is no indication of this vulnerability being actively exploited in the wild, nor is it listed on CISA KEV. Public proof-of-concept exploits are not widely available, but the vulnerability's nature makes it relatively easy to exploit, increasing the likelihood of future attacks if left unpatched. The EPSS score is likely medium, reflecting the ease of exploitation and potential impact.

リスク対象者翻訳中…

Organizations utilizing Web Ofisi Emlak v2.0.0–v2, particularly those hosting the application on shared hosting environments or without robust input validation practices, are at significant risk. Legacy deployments that have not been regularly updated are also particularly vulnerable.

検出手順翻訳中…

• php: Examine web server access logs for requests to URLs containing the 'ara' parameter with unusual characters or SQL keywords (e.g., 'UNION', 'SELECT', ';').

grep 'ara[=].*UNION.*' /var/log/apache2/access.log

• php: Search application code for instances where the 'ara' parameter is used in SQL queries without proper sanitization or escaping. • generic web: Use a WAF to monitor and block requests containing SQL injection payloads targeting the 'ara' parameter. • generic web: Monitor database logs for unusual SQL queries originating from the application server.

攻撃タイムライン

  1. Disclosure

    disclosure

脅威インテリジェンス

エクスプロイト状況

概念実証不明
CISA KEVNO
インターネット露出
レポート1 脅威レポート

EPSS

0.12% (31% パーセンタイル)

CISA SSVC

悪用状況poc
自動化可能yes
技術的影響partial

CVSS ベクトル

脅威インテリジェンス· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H9.1CRITICALAttack VectorNetwork攻撃者がターゲットに到達する方法Attack ComplexityLow悪用に必要な条件Privileges RequiredNone攻撃に必要な認証レベルUser InteractionNone被害者の操作が必要かどうかScopeUnchanged影響コンポーネント外への波及ConfidentialityHigh機密データ漏洩のリスクIntegrityNone不正データ改ざんのリスクAvailabilityHighサービス障害のリスクnextguardhq.com · CVSS v3.1 基本スコア
これらのメトリクスの意味は?
Attack Vector
ネットワーク — インターネット経由でリモートから悪用可能。物理・ローカルアクセス不要。
Attack Complexity
低 — 特別な条件不要。安定して悪用可能。
Privileges Required
なし — 認証不要。資格情報なしで悪用可能。
User Interaction
なし — 自動かつ無音の攻撃。被害者は何もしない。
Scope
変化なし — 影響は脆弱なコンポーネントのみ。
Confidentiality
高 — 機密性の完全喪失。全データが読み取り可能。
Integrity
なし — 完全性への影響なし。
Availability
高 — 完全なクラッシュまたはリソース枯渇。完全なサービス拒否。

影響を受けるソフトウェア

コンポーネントweb-ofisi-emlak
ベンダーWeb-ofisi
影響範囲修正版
v2 – v22.0.1

弱点分類 (CWE)

CWE-89

タイムライン

  1. 予約済み
  2. 公開日
  3. 更新日
  4. EPSS 更新日

緩和策と回避策翻訳中…

The primary mitigation for CVE-2019-25456 is to upgrade Web Ofisi Emlak to version 2.5.4 or later, which includes the necessary fix. If immediate upgrading is not possible, consider implementing temporary workarounds. Input validation and sanitization on the 'ara' parameter are crucial. Employing a Web Application Firewall (WAF) with SQL Injection protection rules can help block malicious requests. Regularly review database access logs for suspicious activity, specifically looking for unusual SQL queries originating from the 'ara' parameter. Consider implementing stricter database user permissions to limit the impact of a successful SQL Injection attack.

修正方法翻訳中…

Actualice el script Emlak a la versión 2.5.4 o superior para mitigar la vulnerabilidad de inyección SQL.  Asegúrese de aplicar las últimas actualizaciones de seguridad y revisar el código fuente para identificar y corregir posibles puntos débiles.  Implemente validaciones y sanitización de entradas para prevenir futuras inyecciones SQL.

CVEセキュリティニュースレター

脆弱性分析と重要アラートをメールでお届けします。

よくある質問翻訳中…

What is CVE-2019-25456 — SQL Injection in Web Ofisi Emlak?

CVE-2019-25456 is a critical SQL Injection vulnerability affecting Web Ofisi Emlak versions 2.0.0–v2, allowing attackers to manipulate database queries through the 'ara' parameter.

Am I affected by CVE-2019-25456 in Web Ofisi Emlak?

You are affected if you are using Web Ofisi Emlak version 2.0.0–v2. Check your version and upgrade immediately if vulnerable.

How do I fix CVE-2019-25456 in Web Ofisi Emlak?

Upgrade Web Ofisi Emlak to version 2.5.4 or later. Implement input validation and WAF rules as temporary mitigations.

Is CVE-2019-25456 being actively exploited?

There is no public evidence of active exploitation at this time, but the vulnerability's ease of exploitation warrants immediate attention.

Where can I find the official Web Ofisi Emlak advisory for CVE-2019-25456?

Refer to the Web Ofisi Emlak security advisories for detailed information and patch instructions. Check their official website for updates.

あなたのプロジェクトは影響を受けていますか?

依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。

無料スキャンCVEを検索