CVE-2019-25433

Vulnerability

Overview

CVE-2019-25433 describes an SQL injection vulnerability in XOOPS CMS version 2.5.9. The flaw resides in the gerar_pdf.php script, which fails to sanitize the cid parameter before incorporating it into database queries. This allows an attacker to inject arbitrary SQL code through a GET request, bypassing authentication requirements entirely [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to the vulnerable endpoint, such as http://host/patch/modules/patch/gerar_pdf.php?cid=[SQL Injection]. No prior authentication or special privileges are needed, making the attack surface broad. The exploit is publicly available and has been demonstrated on both Windows and Linux platforms [1].

Impact

Successful exploitation enables the attacker to extract sensitive information from the underlying database, including user credentials, session data, and other confidential records. The CVSS v3 score of 8.2 (High) reflects the ease of exploitation and the potential for significant data compromise.

Mitigation

As of the publication date, no official patch has been released for XOOPS CMS 2.5.9. Users are advised to upgrade to a later version of XOOPS if available, or to apply input validation and parameterized queries as a workaround. The vulnerability is listed in public exploit databases, increasing the risk of active exploitation [1].