CVE-2019-25635

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0010 27.2th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or…

error-based techniques.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly prevents SQL injection by validating and sanitizing untrusted inputs in parameters like up_cast, s_mother, and s_religion before processing database queries.

SI-11 Error Handling good match

prevent

Mitigates error-based SQL injection techniques by suppressing detailed database error messages that reveal sensitive information to attackers.

SI-2 Flaw Remediation good match

prevent

Ensures timely remediation of the specific SQL injection flaws in the profile_list endpoint through identification, patching, and verification.

Security SummaryAI

CVE-2019-25635 consists of multiple SQL injection vulnerabilities (CWE-89) in Zeeways Matrimony CMS, specifically affecting the profile_list endpoint. Attackers can inject malicious SQL code via the up_cast, s_mother, and s_religion parameters, enabling manipulation of database queries to extract sensitive information through time-based or error-based techniques. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), highlighting its high severity due to network accessibility and lack of prerequisites.

Unauthenticated attackers can exploit these flaws remotely over the network with low attack complexity and no user interaction. Exploitation allows disclosure of sensitive database contents with high confidentiality impact and limited integrity impact, while availability remains unaffected.

Advisories and related resources include the Zeeways Matrimony CMS product detail page at http://www.zeeways.com/matrimony-cms/4/productdetail, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/46603, and a VulnCheck advisory at https://www.vulncheck.com/advisories/zeeways-matrimony-cms-lastest-sql-injection-via-profile-list. These references provide further details on the issues but do not specify mitigation or patch information in the CVE description.

Details

CWE(s): CWE-89

Affected Products

zeeways

matrimony cms

all versions

References

http://www.zeeways.com/matrimony-cms/4/productdetail
Broken Link · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46603
Exploit, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/zeeways-matrimony-cms-lastest-sql-injection-via-profile-list
Third Party Advisory · disclosure@vulncheck.com