CVE-2019-25643
Description
eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extract sensitive database information from the INFORMATION_SCHEMA tables.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
eNdonesia Portal v8.7 suffers from unauthenticated SQL injection in banners.php via the bid parameter, allowing attackers to extract sensitive database contents.
Vulnerability
Overview
CVE-2019-25643 describes multiple SQL injection vulnerabilities in eNdonesia Portal version 8.7. The root cause is improper neutralization of special elements used in SQL commands (CWE-89) in the banners.php script [3]. The bid parameter is directly concatenated into SQL queries without sanitization, enabling attackers to inject arbitrary SQL payloads via GET requests [1].
Exploitation
This vulnerability can be exploited remotely without authentication. An attacker only needs to craft a malicious GET request to banners.php with a specially crafted bid parameter. Since no authentication is required and the attack vector is network-based, the barrier to exploitation is very low [3]. The official advisory on Exploit-DB provides proof-of-concept code demonstrating how to extract data from the INFORMATION_SCHEMA tables [1].
Impact
Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the underlying database. This could lead to the exfiltration of sensitive information such as user credentials, personal data, or configuration secrets stored in the database [3]. The CVSS v3 base score of 8.2 reflects high impact to confidentiality, though integrity and availability are less affected.
Mitigation
As of the publication date, the project appears to be unmaintained; the vendor homepage and source code repository page remain available but no patch has been released [2]. Organizations using eNdonesia Portal v8.7 should consider migrating to an alternative, actively maintained platform to mitigate the risk of SQL injection and other vulnerabilities.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4News mentions
50- Identity Alone Isn't Enough: Why Device Security Has to Share the LoadBleepingComputer · May 20, 2026
- Drupal critical update to fix bug with high exploitation riskBleepingComputer · May 20, 2026
- Huawei zero-day attack behind last year’s crash of Luxembourg's entire telecoms networkThe Record · May 19, 2026
- America's top cyber-defense agency left a GitHub repo open with with passwords, keys, tokens – and incredibly obvious filenamesThe Register Security · May 19, 2026
- Exposing Fox Tempest: A malware-signing service operationMicrosoft Security Blog · May 19, 2026
- Microsoft Takes Down Fox Tempest for Providing Ransomware-Enabling Signing ToolInfosecurity Magazine · May 19, 2026
- Microsoft disrupts cybercrime service that abused software verification systems en masseCyberScoop · May 19, 2026
- INTERPOL Operation Ramz Disrupts MENA Cybercrime Networks with 201 ArrestsThe Hacker News · May 18, 2026
- ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and MoreThe Hacker News · May 18, 2026
- Grafana says stolen GitHub token let hackers steal codebaseBleepingComputer · May 18, 2026
- OpenAI Hit by TanStack Supply Chain AttackSecurityWeek · May 15, 2026
- Welcome to BlackFile: Inside a Vishing Extortion OperationMandiant Threat Intelligence · May 15, 2026
- ThreatsDay Bulletin: PAN-OS RCE, Mythos cURL Bug, AI Tokenizer Attacks, and 10+ StoriesThe Hacker News · May 14, 2026
- Kazuar: Anatomy of a nation-state botnetMicrosoft Security Blog · May 14, 2026
- Cofense adds AI-powered campaign detection to stop phishing attacksHelp Net Security · May 14, 2026
- CERN’s open source KiCad library gives the world 17,000 circuit board componentsHelp Net Security · May 14, 2026
- 200,000 WordPress Sites at Risk from Critical Authentication Bypass Vulnerability in Burst Statistics PluginWordfence Blog · May 13, 2026
- Securing data centers in the agentic AI eraTenable Blog · May 13, 2026
- 716,000 Impacted by OpenLoop Health Data BreachSecurityWeek · May 13, 2026
- GemStuffer Abuses 150+ RubyGems to Exfiltrate Scraped U.K. Council Portal DataThe Hacker News · May 13, 2026
- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- US govt seeks Instructure testimony on massive Canvas cyberattackBleepingComputer · May 12, 2026
- 1,000,000 WordPress Sites Affected by Arbitrary File Read and SQL Injection Vulnerabilities in Avada Builder WordPress PluginWordfence Blog · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026
- Microsoft May 2026 Patch Tuesday fixes 120 flaws, no zero-daysBleepingComputer · May 12, 2026
- Škoda warns of customer data breach after online shop hackBleepingComputer · May 12, 2026
- Deal Reached With Hackers to Delete Data Stolen From the Canvas Educational PlatformSecurityWeek · May 12, 2026
- SQL command injection in administrative portalFortinet PSIRT · May 12, 2026
- ZDI-26-316: Siemens Simcenter Femap IPT File Parsing Memory Corruption Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- ZDI-26-317: Siemens Simcenter Femap IPT File Parsing Memory Corruption Remote Code Execution VulnerabilityZero Day Initiative · May 12, 2026
- Official CheckMarx Jenkins package compromised with infostealerBleepingComputer · May 11, 2026
- 11th May – Threat Intelligence ReportCheck Point Research · May 11, 2026
- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- Skoda Data Breach Hits Online Shop CustomersSecurityWeek · May 11, 2026
- Police shut down reboot of Crimenetwork marketplace, arrest adminBleepingComputer · May 10, 2026
- Week in review: cPanel vulnerability actively exploited, DigiCert breach, LinkedIn job scamsHelp Net Security · May 10, 2026
- Trellix source code breach claimed by RansomHouse hackersBleepingComputer · May 8, 2026
- The Good, the Bad and the Ugly in Cybersecurity – Week 19SentinelOne Labs · May 8, 2026
- Canvas Breach Disrupts Schools & Colleges NationwideKrebs on Security · May 8, 2026
- Unplug your way to better codeCisco Talos Intelligence · May 7, 2026
- Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State HackingSecurityWeek · May 7, 2026
- PAN-OS RCE Exploit Under Active Use Enabling Root Access and EspionageThe Hacker News · May 7, 2026
- AI-Driven Cyberattack on Mexico Couldn't Breach OT SystemsDark Reading · May 7, 2026
- Threat Brief: Exploitation of PAN-OS Captive Portal Zero-Day for Unauthenticated Remote Code ExecutionUnit 42 · May 7, 2026
- Authenticated Arbitrary File Upload Vulnerability Patched in Slider Revolution 7 WordPress PluginWordfence Blog · May 6, 2026
- Critical Buffer Overflow in Palo Alto Networks PAN-OS User-ID Authentication Portal (CVE-2026-0300)Rapid7 Blog · May 6, 2026
- MuddyWater hackers use Chaos ransomware as a decoy in attacksBleepingComputer · May 6, 2026
- The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now OpenThe Hacker News · May 6, 2026
- Root-level RCE vulnerability in Palo Alto firewalls exploited (CVE-2026-0300)Help Net Security · May 6, 2026
- Palo Alto Networks warns of firewall RCE zero-day exploited in attacksBleepingComputer · May 6, 2026