CVE-2019-25641

Netartmedia Vlog System [1] contains an SQL injection vulnerability in the forgotten_password module. The application fails to properly sanitize the email parameter before using it in database queries, allowing an attacker to inject arbitrary SQL commands [2].

An unauthenticated attacker can exploit this by sending a crafted POST request to index.php with a malicious email value. The exploit pattern includes parameters such as ProceedSend=1&email=-1' OR 3*2*1=6 AND 000371=000371 -- &mod=forgotten_password [3]. No authentication or special privileges are required, making the attack surface broad.

Successful exploitation allows the attacker to extract sensitive information from the database, including user credentials and other data. The CVSS v3 score of 8.2 reflects the high confidentiality impact and the ease of exploitation over the network without authentication.

As of the publication date, no official patch has been announced. Users are advised to implement input validation and parameterized queries to mitigate the risk. The vendor's website [1] does not mention a fix, and the vulnerability remains unpatched in the latest version at the time of disclosure.