CVE-2019-25443

Vulnerability

Overview

CVE-2019-25443 is an SQL injection vulnerability in the Inventory Webapp, an open-source inventory management application. The root cause lies in the add-item.php script, which directly uses unsanitized GET parameters (name, description, quantity, cat_id) in constructing a database query. The vulnerable code at line 39 assigns $_GET["name"] (and similar for other parameters) to variables that are then concatenated into an interpolated into a SQL query executed by mysql_query() without any input validation or parameterization [1].

Exploitation

An unauthenticated attacker can exploit this flaw by sending a crafted HTTP GET request to the vulnerable page. The proof-of-concept URL pattern is http://site.com/php/add-item.php?itemquery=[SQL], where the itemquery parameter (or any of the named GET parameters) can contain arbitrary SQL payloads. No authentication is required, and the attack can be performed remotely over the network [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL commands against the underlying database. This can lead to data exfiltration, modification, or deletion of inventory records, and potentially full compromise of the database server depending on database privileges. The CVSS v3 base score of 8.2 (High) reflects the low complexity, no privileges required, and high confidentiality and integrity impacts [1].

Mitigation

The vendor has not released a patch for this vulnerability; the project appears to be unmaintained. Users of the Inventory Webapp should immediately migrate to a supported alternative or apply input sanitization and parameterized queries to all database interactions. The exploit is publicly available, increasing the risk of active exploitation [1].