How serious is CVE-2019-25457?

This vulnerability has a CVSS score of 8.8 out of 10, classified as HIGH severity. Proof-of-concept exploit code is publicly available, making this an active threat.

Is there exploit code available for CVE-2019-25457?

Yes, proof-of-concept exploit code for CVE-2019-25457 is publicly available on GitHub and security research platforms. This increases the risk of active exploitation.

Which products are affected by CVE-2019-25457?

CVE-2019-25457 affects web-ofisi firma. Check the full CVE details for specific version information.

How do I fix CVE-2019-25457?

To remediate CVE-2019-25457, check for security patches from web-ofisi. Apply all available updates and security patches. If no patch is available, implement recommended workarounds or security controls to mitigate the risk.

CVE-2019-25457

High

|8.8

Exploit Available

Plain English Summary

AI-powered analysis for quick understanding

This vulnerability allows attackers to access sensitive information from the database by sending specially crafted requests to the web application without needing to log in. They can exploit this flaw by manipulating a specific parameter in the URL, making it possible to extract data through clever SQL code injections.

Technical Description

Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. Attackers can send GET requests to category pages with malicious 'oz[]' values using time-based blind SQL injection payloads to extract sensitive database information.

CVSS Vector Analysis

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredNone

User InteractionNone

Confidentiality ImpactHigh

Integrity ImpactHigh

Availability ImpactHigh

ScopeChanged

Vector String

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Exploit Resources

Search for proof-of-concept code and exploit modules

GitHub Search Exploit-DB Nuclei Templates Metasploit Vulners

Official References

NIST NVD

Est. Bounty

$4,789($1K-$5K)

Vendor Response

Grade APatched in 4 days

Quick Information

Published

Feb 22, 2026

about 1 month ago

Last Modified

Feb 26, 2026

about 1 month ago

Vendor

web-ofisi

Product

firma

Related Vulnerabilities

CVE-2019-25461High

This vulnerability allows attackers to access sensitive information from the database by sending specially crafted requests to a specific endpoint without needing to log in. They can exploit this flaw by injecting harmful SQL code through a search parameter, making it possible to retrieve data that should be protected.

CVE-2019-25460High

This vulnerability allows attackers to access sensitive information from the database by sending specially crafted requests to the web application without needing to log in. It specifically targets the 'q' parameter in search queries, enabling attackers to manipulate the database and extract data using time-based techniques.

CVE-2019-25459High

This vulnerability allows attackers to manipulate database queries on the Web Ofisi Emlak platform, enabling them to access sensitive information or execute harmful commands without needing to log in. It can be exploited by sending specially crafted requests with specific parameters, making it a serious risk for any site using this software.

CVE-2019-25458High

This vulnerability allows attackers to access and manipulate the database of the Web Ofisi Firma Rehberi application without needing to log in, simply by sending specially crafted requests with malicious code in certain URL parameters. If exploited, attackers can extract sensitive information from the database or execute harmful commands, posing a significant risk to the application's data security.

CVE-2019-25456High

This vulnerability allows attackers to access and manipulate the database of the Web Ofisi Emlak application without needing to log in, simply by sending specially crafted requests through a specific URL parameter. By exploiting this flaw, they can extract sensitive information or even disrupt the service, making it critical for users to secure their systems.