CVE-2019-25439

Vulnerability

Overview

NoviSmart CMS suffers from an SQL injection vulnerability in the handling of the HTTP Referer header. The application fails to properly sanitize user input supplied through this header before incorporating it into SQL queries. This flaw is categorized under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) [1][2].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious HTTP GET request containing time-based SQL injection payloads within the Referer header. No authentication is required, and the attack is carried out over the network. For example, a payload such as if(now()=sysdate(),sleep(0),0)/*'XOR(...) is injected directly into the Referer field [2]. The injection relies on the application logging or processing the Referer header in a database context without proper escaping.

Impact

Successful exploitation allows a remote, unauthenticated attacker to execute arbitrary SQL commands. This can lead to extraction of sensitive data from the database, including user credentials and other confidential information, as well as potential denial of service through time-based queries [1]. The CVSS v4 score is 8.2, indicating high severity with significant confidentiality impact [1].

Mitigation

As of the published advisory, all versions of NoviSmart CMS are considered vulnerable [2]. Users should apply any vendor-supplied patches or implement input validation and parameterized queries for the Referer header field. Until a fix is available, utilizing a web application firewall (WAF) to filter malicious Referer headers is recommended as a workaround.