CVE-2019-25643

HighPublic PoC

Published: 24 March 2026

Published

24 March 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

EPSS Score 0.0013 31.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter…

to extract sensitive database information from the INFORMATION_SCHEMA tables.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 directly prevents SQL injection by validating and sanitizing the unsanitized 'bid' parameter in banners.php before use in database queries.

SI-2 Flaw Remediation good match

prevent

SI-2 ensures timely remediation of the specific SQL injection flaw in eNdonesia Portal v8.7's banners.php component.

SC-7 Boundary Protection partial match

prevent

SC-7 implements boundary protection such as web application firewalls to inspect and block crafted SQL payloads in GET requests to banners.php.

Security SummaryAI

eNdonesia Portal version 8.7 suffers from multiple SQL injection vulnerabilities tracked as CVE-2019-25643 (CWE-89). The flaws reside in the banners.php component, where the bid parameter fails to properly sanitize user input, allowing attackers to inject and execute arbitrary SQL queries.

Unauthenticated remote attackers can exploit the vulnerability by sending GET requests to banners.php with crafted SQL payloads in the bid parameter. Successful exploitation enables extraction of sensitive database information, including data from INFORMATION_SCHEMA tables. The issue carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact with low integrity impact and no availability disruption.

Advisories and references, including those from Vulncheck and Exploit-DB (exploit 46559), document the SQL injection via banners.php and provide proof-of-concept details. The eNdonesia project is hosted on SourceForge and its site at endonesia.org, but no patches or mitigations are specified in the available information.

Details

CWE(s): CWE-89

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1213.006 Databases Collection

Adversaries may leverage databases to mine valuable information.

attack.mitre.org →

Why these techniques?

SQL injection in public-facing web application (banners.php) enables exploitation of public-facing app (T1190) and data collection from databases (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

http://www.endonesia.org/
disclosure@vulncheck.com
https://sourceforge.net/projects/endonesia/
disclosure@vulncheck.com
https://www.exploit-db.com/exploits/46559
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/endonesia-portal-sql-injection-via-banners-php
disclosure@vulncheck.com