📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global insider Education HIGH 2h Global supply_chain Software Development and Technology HIGH 7h Global apt Government/Critical Infrastructure CRITICAL 8h Global vulnerability Enterprise Software / Data Analytics CRITICAL 9h Global vulnerability Artificial Intelligence and Technology HIGH 12h Global general Technology and Artificial Intelligence MEDIUM 16h Global general Technology and Artificial Intelligence HIGH 17h Global vulnerability Higher Education CRITICAL 1d Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global insider Education HIGH 2h Global supply_chain Software Development and Technology HIGH 7h Global apt Government/Critical Infrastructure CRITICAL 8h Global vulnerability Enterprise Software / Data Analytics CRITICAL 9h Global vulnerability Artificial Intelligence and Technology HIGH 12h Global general Technology and Artificial Intelligence MEDIUM 16h Global general Technology and Artificial Intelligence HIGH 17h Global vulnerability Higher Education CRITICAL 1d Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d Global insider Education HIGH 2h Global supply_chain Software Development and Technology HIGH 7h Global apt Government/Critical Infrastructure CRITICAL 8h Global vulnerability Enterprise Software / Data Analytics CRITICAL 9h Global vulnerability Artificial Intelligence and Technology HIGH 12h Global general Technology and Artificial Intelligence MEDIUM 16h Global general Technology and Artificial Intelligence HIGH 17h Global vulnerability Higher Education CRITICAL 1d Global data_breach Government HIGH 1d Global supply_chain Software Development and Open Source Communities CRITICAL 1d
Vulnerabilities

CVE-2019-25391

High
Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST
CWE-89 — Weakness Type
Published: Feb 22, 2026  ·  Modified: Feb 28, 2026  ·  Source: NVD
CVSS v3
8.2
🔗 NVD Official
📄 Description (English)

Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions to extract sensitive database information.

🤖 AI Executive Summary

CVE-2019-25391 is a time-based blind SQL injection vulnerability in Ashop Shopping Cart Software affecting the admin/bannedcustomers.php endpoint. Attackers can manipulate the blacklistitemid parameter to execute arbitrary SQL queries and extract sensitive database information. With a CVSS score of 8.2, this vulnerability poses a significant risk to e-commerce platforms and requires immediate patching.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 04:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi e-commerce businesses, retail organizations, and SMEs using Ashop Shopping Cart Software. High-risk sectors include: Banking (payment processing integration), Telecom (STC e-commerce platforms), Retail/E-commerce (major online merchants), and Government (e-procurement systems). Attackers could extract customer databases, payment information, and administrative credentials, leading to data breaches and financial fraud.
🏢 Affected Saudi Sectors
E-commerce and Retail Banking and Financial Services Telecommunications Government and Public Sector Healthcare (if using for patient portals) Hospitality and Tourism
⚖️ Saudi Risk Score (AI)
8.1
/ 10.0
🔧 Remediation Steps (English)
1. IMMEDIATE: Identify all systems running Ashop Shopping Cart Software and isolate affected instances from production if unpatched

2. Apply the available patch immediately to all affected installations

3. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in the blacklistitemid parameter

4. Restrict access to admin/bannedcustomers.php endpoint using IP whitelisting and multi-factor authentication

5. Review database access logs for suspicious SLEEP function calls and time-based query patterns

6. Conduct database integrity checks and verify no unauthorized data extraction occurred

7. Reset all administrative credentials and database user passwords

8. Detection rule: Monitor POST requests to admin/bannedcustomers.php containing SLEEP(), BENCHMARK(), or WAITFOR keywords in blacklistitemid parameter

9. Implement input validation and parameterized queries for all database operations
🔧 خطوات المعالجة (العربية)
1. فوري: تحديد جميع الأنظمة التي تعمل بـ Ashop Shopping Cart Software وعزل الحالات المتأثرة عن الإنتاج إذا لم يتم إصلاحها

2. تطبيق الرقعة المتاحة فوراً على جميع التثبيتات المتأثرة

3. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل blacklistitemid

4. تقييد الوصول إلى نقطة نهاية admin/bannedcustomers.php باستخدام القائمة البيضاء للعناوين والمصادقة متعددة العوامل

5. مراجعة سجلات الوصول إلى قاعدة البيانات للبحث عن استدعاءات SLEEP المريبة والأنماط الاستعلامية القائمة على الوقت

6. إجراء فحوصات سلامة قاعدة البيانات والتحقق من عدم حدوث استخراج بيانات غير مصرح به

7. إعادة تعيين جميع بيانات اعتماد المسؤول وكلمات مرور مستخدمي قاعدة البيانات

8. قاعدة الكشف: مراقبة طلبات POST إلى admin/bannedcustomers.php التي تحتوي على SLEEP أو BENCHMARK أو WAITFOR في معامل blacklistitemid

9. تنفيذ التحقق من صحة المدخلات والاستعلامات المعاملة لجميع عمليات قاعدة البيانات
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.13.1.3 - Segregation of networks A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.GV-1 - Organizational cybersecurity policy PR.DS-6 - Data is protected from unauthorized access DE.CM-1 - The network is monitored for unauthorized connections RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.12.2.1 - Implementation of secure development practices A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy and procedures A.13.1.3 - Segregation of networks
🟣 PCI DSS v4.0.1
Requirement 6.5.1 - Injection flaws prevention Requirement 6.2 - Security patches and updates Requirement 11.2 - Vulnerability scanning
📊 CVSS Score
8.2
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity High
CVSS Score8.2
CWECWE-89
EPSS0.05%
Exploit No
Patch ✓ Yes
Published 2026-02-22
Source Feed nvd
Views 5
🇸🇦 Saudi Risk Score
8.1
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-89
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.