CVE-2019-25481
Description
iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. Attackers can send POST requests to the search endpoint with crafted SQL payloads to extract sensitive database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in iScripts ReserveLogic allows attackers to extract sensitive database data via the jqSearchDestination parameter.
iScripts ReserveLogic contains an SQL injection vulnerability (CWE-89) in its search endpoint. The jqSearchDestination POST parameter is directly concatenated into SQL queries without proper sanitization or parameterization, enabling an attacker to inject arbitrary SQL commands [1][2].
Exploitation requires no authentication and can be performed over the network by sending a crafted POST request to the /search path. A public proof-of-concept demonstrates a boolean-based blind injection using a CASE WHEN clause, allowing an attacker to infer database contents character by character [2].
Successful exploitation allows an unauthenticated attacker to extract sensitive information from the database, such as user credentials or other confidential data. The CVSS v3 base score of 8.2 reflects a high confidentiality impact, with low integrity impact and no availability impact [1].
As of the publication date, no official patch has been confirmed, and the vendor may no longer support the product. The public availability of exploit code increases the risk of active exploitation [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.