CVE-2019-25479

Vulnerability

Overview

CVE-2019-25479 describes an SQL injection vulnerability in Inout RealEstate, a real estate listing application. The flaw exists in the agents/agentlistdetails endpoint, where the city POST parameter is not properly sanitized before being used in database queries. This allows an unauthenticated attacker to inject arbitrary SQL commands. [1][2]

Exploitation

An attacker can exploit this vulnerability by sending a crafted POST request to [base URL]/agents/agentlistdetails with a malicious SQL payload in the city parameter. No authentication is required, and the attack is performed over HTTP. A Proof-of-Concept payload using RLIKE with a boolean-based blind injection has been publicly released. [2]

Impact

Successful exploitation enables an attacker to read sensitive data from the database, including user credentials, personal information, and other confidential records. The CVSS v3 score of 8.2 (High) reflects the low attack complexity and high confidentiality impact. [1]

Mitigation

As of the publication date, no official patch has been referenced. Users should apply input validation and parameterized queries as a workaround. The vendor has not confirmed an end-of-life status for the product. [1][2]