CVE-2019-25514

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0012 30.7th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. Attackers can manipulate the kelime parameter with UNION-based SQL injection payloads to extract…

sensitive data from the database or bypass authentication controls.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by requiring validation of inputs like the 'kelime' parameter to block malicious SQL commands.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws such as this SQL injection vulnerability through patching or code remediation.

SI-9 Information Input Restrictions partial match

prevent

Enforces restrictions on input parameters like 'kelime' to limit payload size, format, or type, reducing SQL injection attack surface.

Security SummaryAI

CVE-2019-25514 is an SQL injection vulnerability (CWE-89) in Jettweb PHP Hazir Haber Sitesi Scripti V3. The flaw resides in the kelime parameter processed via POST requests, where insufficient input sanitization allows attackers to inject malicious SQL commands. Specifically, UNION-based SQL injection payloads can be used to manipulate database queries.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required, as indicated by the CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N). Successful exploitation enables extraction of sensitive data from the database or bypassing authentication controls, resulting in high confidentiality impact and low integrity impact.

Advisories and proof-of-concept exploits are documented in public references, including Exploit-DB at https://www.exploit-db.com/exploits/46599 and VulnCheck at https://www.vulncheck.com/advisories/jettweb-php-hazir-haber-sitesi-scripti-v3-sql-injection-3. These resources detail the vulnerability but do not specify patches or vendor-provided mitigations in the available information.

Details

CWE(s): CWE-89

Affected Products

jettweb

php stock news site script

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing PHP web script enables exploitation of public-facing application (T1190) for initial access or auth bypass, and UNION-based payloads facilitate querying databases for sensitive data extraction (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46599
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/jettweb-php-hazir-haber-sitesi-scripti-v3-sql-injection-3
Third Party Advisory · disclosure@vulncheck.com