平台
php
组件
web-ofisi-emlak
修复版本
2.0.1
CVE-2019-25459 describes multiple SQL injection vulnerabilities present in Web Ofisi Emlak V2, a PHP-based real estate management system. These vulnerabilities allow unauthenticated attackers to directly manipulate database queries, potentially leading to unauthorized data access and manipulation. The vulnerability affects versions 2.0.0–V2, and a fix is available in version 2.5.4.
An attacker exploiting CVE-2019-25459 can gain unauthorized access to sensitive data stored within the Web Ofisi Emlak database. By injecting malicious SQL code into GET parameters such as emlakdurumu, emlaktipi, il, ilce, kelime, and semt, an attacker can extract user credentials, property details, financial information, and other confidential data. The time-based blind SQL injection technique allows attackers to bypass input validation and extract data even without direct error messages. Successful exploitation could lead to complete database compromise and potentially allow an attacker to modify or delete data, disrupting the real estate management system’s functionality.
CVE-2019-25459 was published on 2026-02-22. While no active exploitation campaigns have been publicly confirmed, the CRITICAL severity and ease of exploitation make it a high-priority vulnerability. The lack of a KEV listing suggests no confirmed exploitation, but the vulnerability's nature warrants ongoing monitoring. Public proof-of-concept exploits are likely to emerge given the vulnerability's simplicity.
Organizations utilizing Web Ofisi Emlak V2 (2.0.0–V2) for real estate management are at significant risk. This includes small to medium-sized businesses relying on the system for property listings, client management, and financial tracking. Shared hosting environments where multiple users share the same server instance are particularly vulnerable, as a compromise of one user's instance could potentially lead to lateral movement and compromise other users’ data.
• php: Examine web server access logs for requests containing suspicious SQL syntax in GET parameters (e.g., emlak_durumu=1' OR '1'='1).
• php: Review the source code of Web Ofisi Emlak, specifically the endpoint handling GET parameters, for unescaped user input used in SQL queries.
• generic web: Use curl to test the vulnerable endpoints with various SQL injection payloads:
curl 'http://your-web-ofisi-instance/index.php?emlak_durumu=1' OR '1'='1'• generic web: Monitor error logs for database-related errors that might indicate a SQL injection attempt.
disclosure
漏洞利用状态
EPSS
0.11% (30% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2019-25459 is to immediately upgrade Web Ofisi Emlak to version 2.5.4 or later. If upgrading is not immediately feasible, implement strict input validation and sanitization on all GET parameters to prevent SQL injection attacks. Consider using a Web Application Firewall (WAF) with SQL injection protection rules to filter malicious requests. Regularly review database access logs for suspicious activity and implement the principle of least privilege for database users. After upgrading, confirm the fix by attempting to inject SQL code into the vulnerable GET parameters and verifying that the requests are properly sanitized and do not result in database errors.
将 Emlak 脚本升级到 2.5.4 或更高版本以缓解 SQL 注入漏洞。 确保应用 Web-ofisi 提供的最新安全更新,以保护您的应用程序免受潜在攻击。 审查并清理 GET 参数中的用户输入,以防止 SQL 代码注入。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2019-25459 is a critical SQL injection vulnerability in Web Ofisi Emlak V2 (2.0.0–V2) allowing attackers to manipulate database queries via GET parameters.
If you are using Web Ofisi Emlak V2 (2.0.0–V2), you are potentially affected and should upgrade immediately.
Upgrade to version 2.5.4 or later. Implement input validation and consider using a WAF as an interim measure.
While no active exploitation campaigns have been confirmed, the vulnerability's severity and ease of exploitation make it a high-priority risk.
Refer to the Web Ofisi security advisories for the latest information and updates regarding CVE-2019-25459.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。