プラットフォーム
php
コンポーネント
fiverr-clone-script
修正版
1.2.3
CVE-2019-25444 describes a critical SQL injection vulnerability present in Fiverr Clone Script versions 1.2.2 through 1.2.2. This flaw allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code via the 'page' parameter. Successful exploitation could lead to unauthorized access to sensitive data and potential modification of the database, compromising the integrity and confidentiality of the application and its users.
The SQL injection vulnerability in Fiverr Clone Script allows attackers to bypass authentication and directly interact with the database. An attacker could craft malicious SQL queries to extract usernames, passwords, order details, payment information, and other sensitive data stored within the database. Beyond data exfiltration, the attacker could potentially modify or delete data, leading to denial of service or even complete compromise of the application. The impact is particularly severe given the potential for unauthorized access to user data and the ability to manipulate critical business functions.
While no active exploitation campaigns are publicly known, the severity of the vulnerability (CVSS 9.1) and the ease of exploitation make it a high-priority target. The lack of a fixed version increases the risk. This vulnerability is not listed on KEV as of the last update. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature.
Organizations and individuals using Fiverr Clone Script version 1.2.2 are at immediate risk. Shared hosting environments are particularly vulnerable, as a compromise of one account could potentially expose the entire server. Those who have not implemented robust input validation practices are also at increased risk.
• php / web:
curl -I 'http://your-fiverr-clone-script/index.php?page='; # Check for SQL injection attempts in the response headers.• generic web:
grep -r "SELECT * FROM" /var/www/html/ ; # Search for potentially vulnerable SQL queries in the codebase.disclosure
エクスプロイト状況
EPSS
0.07% (22% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2019-25444 is to upgrade to a patched version of Fiverr Clone Script. As no fixed version is specified, thorough code review and sanitization of user inputs, particularly the 'page' parameter, is crucial. Implementing a Web Application Firewall (WAF) with SQL injection protection rules can provide a temporary layer of defense. Carefully review and restrict database user permissions to limit the potential damage from a successful injection. After applying mitigations, test the application thoroughly, focusing on input validation and parameterized queries, to confirm the vulnerability is resolved.
Actualice a una versión corregida del Fiverr Clone Script que solucione la vulnerabilidad de inyección SQL en el parámetro 'page'. Verifique la documentación del proveedor (Phpscriptsmall) para obtener información sobre las actualizaciones disponibles y las instrucciones de instalación. Además, implemente validación y saneamiento de entradas en el código para prevenir futuras inyecciones SQL.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2019-25444 is a critical SQL injection vulnerability affecting Fiverr Clone Script versions 1.2.2–1.2.2, allowing attackers to manipulate database queries through the 'page' parameter.
If you are using Fiverr Clone Script version 1.2.2, you are potentially affected by this vulnerability. Immediate action is required.
Upgrade to a patched version of Fiverr Clone Script. If unavailable, implement strict input validation and consider a WAF.
While no active campaigns are confirmed, the vulnerability's severity makes it a likely target for exploitation.
Check the Fiverr Clone Script project's official website or repository for security advisories and updates.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。