CVE-2019-25486

Vulnerability

Description

Varient 1.6.1, a news magazine script, suffers from an SQL injection vulnerability in the user_id parameter. The application fails to properly sanitize user-supplied input before incorporating it into SQL queries, enabling attackers to inject arbitrary SQL commands [1][2]. This occurs via POST requests, where the user_id field can be manipulated with crafted payloads.

Exploitation

Details

The vulnerability is exploitable without authentication; an attacker simply submits a POST request to a vulnerable endpoint, for example, a comment submission endpoint with a malicious user_id value [3]. A proof-of-concept payload includes patterns like %27)/**/oR/**/3211170=3211170/**/aNd/**/(%276199%27)=(%276199 to manipulate the query logic [3]. The attack requires no special privileges and is executed over the network [2].

Impact

Successful exploitation can lead to authentication bypass and unauthorized extraction of sensitive information from the database, such as user credentials or other confidential data [1][2]. The CVSS v4 score of 8.2 (High) reflects the serious risk of confidentiality compromise [2].

Mitigation

As of the advisory date, users of Varient 1.6.1 and prior versions should upgrade to a patched release if available, or implement input validation and parameterized queries to prevent SQL injection. No official patch had been announced in the references provided [1][2].