Cyber Posture

CVE-2019-25513

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
17 March 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0039 60.0th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers can send GET requests to datagetir.php with malicious 'q' values using…

more

time-based blind SQL injection techniques to extract sensitive database information or bypass authentication.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents SQL injection by requiring validation and sanitization of user inputs like the 'q' parameter in datagetir.php before database query execution.

SI-2 Flaw Remediation good match
prevent

Mandates identification, reporting, and correction of the specific SQL injection flaw in datagetir.php to eliminate the vulnerability.

SC-7 Boundary Protection partial match
prevent

Boundary protection with web application firewalls can inspect and block malicious SQL injection payloads in unauthenticated GET requests to datagetir.php.

Security SummaryAI

CVE-2019-25513 is an SQL injection vulnerability (CWE-89) in Jettweb PHP Hazir Haber Sitesi Scripti V3. The flaw resides in the datagetir.php component, where the 'q' parameter fails to properly sanitize user input, allowing attackers to inject arbitrary SQL code into database queries.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted GET requests to datagetir.php with malicious values in the 'q' parameter, attackers can perform time-based blind SQL injection to extract sensitive database information or bypass authentication mechanisms. The CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects high confidentiality impact with low integrity impact and no availability disruption.

Advisories from Exploit-DB (exploit 46599) and Vulncheck document the vulnerability, including proof-of-concept exploits demonstrating the time-based blind SQL injection technique via the 'q' parameter in datagetir.php. No patches or specific mitigations are detailed in the provided references.

Details

CWE(s)
CWE-89

Affected Products

jettweb
php stock news site script
3

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
attack.mitre.org →
Why these techniques?

The SQL injection vulnerability in a public-facing web application (datagetir.php) enables unauthenticated remote exploitation (T1190) to extract sensitive database information via time-based blind SQLi (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References