CVE-2019-25534

Vulnerability

Overview

CVE-2019-25534 is an SQL injection vulnerability in Netartmedia PHP Car Dealer, a vehicle listing script. The flaw resides in the features[] parameter, which is not properly sanitized before being used in POST requests to index.php. An attacker can inject arbitrary SQL commands through this parameter because the application fails to neutralize special elements used in SQL queries [1].

Exploitation

Exploitation requires no authentication; an attacker can send a crafted POST request to the vulnerable endpoint. A proof-of-concept payload demonstrates time-based blind SQL injection using (select(0)from(select(sleep(0)))v) embedded in the features[] parameter, confirming the vulnerability is exploitable without prior access [2].

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries, potentially extracting sensitive information from the database (e.g., user credentials, dealer data) or modifying database content. The CVSS v3 score of 8.2 (High) reflects the high confidentiality impact and low integrity impact, with no privileges required and network attack vector [1].

Mitigation

As of the publication date, no official patch has been confirmed. Users should apply input validation and parameterized queries to the features[] parameter, or consider migrating to a maintained alternative if the vendor does not release a fix.