CVE-2019-25280

Vulnerability

Overview

Yahei-PHP Prober version 0.4.7 contains a remote HTML injection vulnerability in the prober.php script. The GET parameter speed. The input passed to this parameter is not properly sanitized before being returned to the user, allowing attackers to inject arbitrary HTML code into the page output [1][3]. The vulnerable code directly echoes the unsanitized $_GET['speed'] value into the HTML response, as seen in line 1393 of prober.php [3].

Exploitation

An attacker can exploit this vulnerability by crafting a URL such as http://targeting the prober.php script with a malicious speed parameter. For example, the proof-of-concept URL http://domain.local/prober.php?speed=<marquee>marq</marquee>` demonstrates injection of arbitrary HTML execution [3]. No authentication is required, and the attack can be performed remotely over HTTP. The injected HTML is rendered in the context of the affected site, enabling cross-site scripting (XSS) scenarios.

Impact

Successful exploitation allows an attacker to execute arbitrary HTML code in a user's browser session, potentially leading to session hijacking, defacement, or phishing attacks. The vulnerability is classified as medium severity (CVSS v3 base score 6.1) due to the requirement for user interaction and the need for the need for the victim to visit the crafted URL [1].

Mitigation

As of the publication date of this CVE is 2026-01-08, but the vulnerability was disclosed in July 2019 [3]. The vendor's website (yahei.net) appears to be offline or no longer maintained [4]. Users should consider migrating to an alternative server monitoring solution, as no official patch has been released for this version.