CVE-2019-25504

Vulnerability

Overview

CVE-2019-25504 is an unauthenticated SQL injection vulnerability in NCrypted Jobgator. The flaw stems from improper neutralization of special elements used in an SQL command (CWE-89) [1][2]. The experience parameter passed via a POST request to the /agents/Find-Jobs endpoint is not sanitized before being used in database queries, allowing an attacker to inject arbitrary SQL code [1][2].

Exploitation

An attacker can trigger the vulnerability by sending a crafted POST request to the vulnerable endpoint. A proof-of-concept demonstrates that the experience parameter can be set to values such as 1" OR 4365=4365# to bypass authentication or alter query logic [2]. No authentication is required, and the attack is performed over the network via HTTP POST requests [1].

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the backend database. According to the CVSS v4 vector for this advisory, the vulnerability has high confidentiality impact, meaning arbitrary data can be read [1]. Integrity impact is low, and availability is not affected.

Mitigation

As of the publication date, no patch is known. The vendor's demo site remains functional, and the product version affected is listed as "Lastest" (likely meaning all versions up to the date of discovery) [2]. Users of NCrypted Jobgator should restrict network access to the /agents/Find-Jobs endpoint and implement input validation for the experience parameter until an official fix is released.