CVE-2019-25440

Vulnerability

Overview CVE-2019-25440 is an SQL injection vulnerability in WebIncorp ERP, affecting all versions. The flaw resides in the prod_id parameter of product_detail.php, which fails to sanitize user input before incorporating it into database queries [1].

Exploitation

Details An unauthenticated attacker can exploit this by sending a specially crafted GET request to the vulnerable endpoint. By injecting SQL code into the prod_id parameter, such as a single quote ('), the attacker can manipulate the underlying SQL query. No authentication is required, and the attack can be executed remotely over HTTP [1].

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, including user credentials, business data, and other confidential records. The CVSS v3 score of 8.2 (High) reflects the low complexity, no privileges required, and high confidentiality impact [1].

Mitigation

As of the advisory date (August 2019), no patch was available. Users should implement input validation and parameterized queries to mitigate the risk. The vendor homepage indicates the product is an ERP solution for Qatar-based businesses [1].