CVE-2019-8923
Description
XAMPP through 5.6.8 and previous allows SQL injection via the cds-fpdf.php jahr parameter. NOTE: This product is discontinued.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- XAMPP/XAMPPdescription
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization in the jahr parameter of cds-fpdf.php allows SQL injection."
Attack vector
An attacker sends an HTTP GET request to `cds-fpdf.php` with a malicious payload in the `jahr` parameter. The proof-of-concept URL appends `AND sleep(5)` to the `jahr` value, demonstrating time-based blind SQL injection [ref_id=1]. No authentication is required; the attacker only needs network access to the XAMPP web server.
Affected code
The vulnerable file is `cds-fpdf.php` within the XAMPP package. The `jahr` parameter is passed unsanitized into a SQL query, allowing an attacker to inject arbitrary SQL statements [ref_id=1].
What the fix does
No patch is available because the product is discontinued [ref_id=1]. The advisory recommends updating to the latest version, but since XAMPP 5.6.8 is the final release in that line, users must migrate to a newer major version or replace the component entirely [ref_id=1].
Preconditions
- networkThe XAMPP web server must be running and the cds-fpdf.php script must be accessible.
- authNo authentication is required; the endpoint is publicly reachable.
- inputThe attacker supplies a malicious jahr parameter value containing SQL metacharacters.
Reproduction
Visit `http://localhost/xampp/cds-fpdf.php?interpret=SQLi&titel=SQLi&jahr=1984%20%20AND%20sleep%285%29`. If the page response is delayed by approximately 5 seconds, the SQL injection is confirmed [ref_id=1].
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- www.exploit-db.com/exploits/46424/mitreexploitx_refsource_EXPLOIT-DB
- packetstormsecurity.com/files/151756/XAMPP-5.6.8-Cross-Site-Scripting-SQL-Injection.htmlmitrex_refsource_MISC
- seclists.org/fulldisclosure/2019/Feb/43mitremailing-listx_refsource_FULLDISC
- www.securityfocus.com/bid/107168mitrevdb-entryx_refsource_BID
- sourceforge.net/projects/xampp/files/XAMPP%20Windows/1.8.2/mitrex_refsource_MISC
- sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.5.19/mitrex_refsource_MISC
- sourceforge.net/projects/xampp/files/XAMPP%20Windows/5.6.8/mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.