CVE-2019-25713

MyT-PM 1.5.1 suffers from a SQL injection vulnerability in the Charge[group_total] parameter of the /charge/admin endpoint [1][2][4]. The application fails to properly sanitize user-supplied input, allowing an attacker to inject arbitrary SQL statements into the database query. This issue affects the project management software MyT (Manage Your Team) [1].

Exploitation requires an authenticated user, as the vulnerable endpoint is part of the administrative interface. An attacker can submit crafted POST requests containing error-based, time-based blind, or stacked query payloads to execute malicious SQL commands [2]. The provided exploit payloads demonstrate these techniques, including the use of EXTRACTVALUE for error-based injection and SLEEP for time-based detection [2].

Successful exploitation allows an attacker to extract sensitive data from the database, such as user credentials or project information, and potentially modify or delete records [2][4]. This could lead to complete compromise of the application’s data integrity and confidentiality.

As of the advisory's publication, no official patch was available, and users were advised to apply input validation or restrict access to affected endpoints [2][4]. The MyT-PM project may no longer be actively maintained, so users should consider migrating to alternative solutions or implementing a web application firewall to mitigate the risk.