CVE-2019-25446

Vulnerability

Overview

CVE-2019-25446 describes an SQL injection vulnerability in the DIGIT CENTRIS ERP application. The flaw resides in the /korisnikinfo.php endpoint, where the datum1, datum2, KID, and PID parameters are not sanitized before being used in SQL queries. An unauthenticated attacker can inject arbitrary SQL code by manipulating these parameters in a POST request, as demonstrated by the available exploit proof-of-concept [1].

Exploitation

No authentication is required to reach the vulnerable endpoint. The attacker sends a crafted POST request containing malicious SQL syntax in the parameters. The exploit example shows a simple injection using single-quote characters to break out of the intended query structure [1]. The attack is performed over HTTP POST and does not require any special privileges or network position beyond standard web access.

Impact

Successful exploitation can lead to unauthorized extraction of sensitive database information, including user credentials, business data, and other confidential records. Because the vulnerability allows data modification as well, an attacker could alter or delete critical information stored in the database, potentially compromising data integrity and availability.

Mitigation

As of the time of the public disclosure (September 2019), no vendor patch was available, and the advisory notes that the vulnerability affects every version of DIGIT CENTRIS ERP [1]. Organizations using this software should apply input validation and parameterized queries as a workaround, or limit network access to the application until a security update is provided.