CVE-2019-25538

HighPublic PoC

Published: 12 March 2026

Published

12 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0022 43.8th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send crafted requests with malicious SQL statements in the log_user field to extract sensitive…

database information or modify database contents.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by requiring validation of the log_user parameter to reject malicious SQL code.

SI-9 Information Input Restrictions good match

prevent

SI-9 enforces restrictions on the log_user input at system boundaries to block SQL injection attempts through format and content limits.

SI-2 Flaw Remediation good match

prevent

SI-2 requires identification and remediation of the specific SQL injection flaw in 202CMS v10 beta's log_user parameter handling.

Security SummaryAI

CVE-2019-25538 is an SQL injection vulnerability in 202CMS v10 beta, specifically through the log_user parameter. This flaw allows attackers to inject malicious SQL code into database queries, as the parameter fails to properly sanitize user input. Affected systems are instances of 202CMS v10 beta, a content management system hosted on SourceForge under the project name b202cms. The vulnerability is classified under CWE-89 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability disruption.

Unauthenticated remote attackers can exploit this vulnerability by sending crafted HTTP requests containing malicious SQL statements in the log_user field. Successful exploitation enables manipulation of database queries, allowing extraction of sensitive information such as user credentials or other confidential data, or limited modification of database contents. The lack of authentication requirements (PR:N) and low attack complexity (AC:L) make it accessible to any network adversary without user interaction.

References include the 202CMS project page on SourceForge, a proof-of-concept exploit on Exploit-DB (ID 46579), and a detailed advisory from Vulncheck describing the SQL injection via the log_user parameter. No patches or specific mitigation steps are detailed in the provided information, emphasizing the need for input validation and prepared statements in similar applications.

Details

CWE(s): CWE-89

Affected Products

konradpl99

202cms

10.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

CVE-2019-25538 is an unauthenticated SQL injection in a public-facing CMS (T1190: Exploit Public-Facing Application), enabling database query manipulation for sensitive data extraction like credentials (T1213.006: Databases).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://sourceforge.net/projects/b202cms/
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46579
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/202cms-v10-beta-sql-injection-via-log-user-parameter
Third Party Advisory · disclosure@vulncheck.com