CVE-2019-25515

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

17 March 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0094 76.3th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. Attackers can bypass authentication by submitting equals signs and 'or'…

operators as username and password parameters to access the administration panel without valid credentials.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly and comprehensively prevents SQL injection in login.php by validating username and password inputs against crafted SQL syntax like equals signs and 'or' operators.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification, reporting, and correction of the specific SQL injection flaw enabling authentication bypass to administrative access.

RA-5 Vulnerability Monitoring and Scanning good match

detect

RA-5 mandates scanning for vulnerabilities like the SQL injection in CVE-2019-25515 to identify it prior to exploitation.

Security SummaryAI

CVE-2019-25515 is an authentication bypass vulnerability in Jettweb PHP Hazir Haber Sitesi Scripti V3, specifically within the login.php administration panel. The flaw allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax, such as equals signs and 'or' operators, as username and password parameters. This issue is classified under CWE-89 (SQL Injection) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N).

Unauthenticated attackers with network access can exploit the vulnerability remotely with low attack complexity and no user interaction. Exploitation bypasses login credentials entirely, granting full administrative access to the panel and enabling high confidentiality impacts, such as unauthorized access to sensitive administrative data.

Advisories and exploit details are available from Vulncheck at https://www.vulncheck.com/advisories/jettweb-php-hazir-haber-sitesi-scripti-v3-authentication-bypass and Exploit-DB at https://www.exploit-db.com/exploits/46599, which include proof-of-concept information. The CVE description does not specify patches or mitigations.

Details

CWE(s): CWE-89

Affected Products

jettweb

php stock news site script

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is a SQL injection in a public-facing web application's login.php admin panel, enabling unauthenticated remote exploitation for administrative access, directly mapping to Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://www.exploit-db.com/exploits/46599
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/jettweb-php-hazir-haber-sitesi-scripti-v3-authentication-bypass
Third Party Advisory · disclosure@vulncheck.com