Vulnerabilities ›

CVE-2019-25443

High

CWE-89 — Weakness Type

                    Published: Feb 22, 2026                      ·  Modified: Feb 28, 2026                      ·  Source: NVD                

CVSS v3

8.2

🔗 NVD Official

📄 Description (English)

Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands.

🤖 AI Executive Summary

CVE-2019-25443 is a critical SQL injection vulnerability in an Inventory Webapp affecting the add-item.php endpoint. Unauthenticated attackers can inject malicious SQL code through GET parameters (name, description, quantity, cat_id) to execute arbitrary database commands, potentially leading to complete database compromise, data exfiltration, and system takeover. With a CVSS score of 8.2 and no authentication required, this vulnerability poses an immediate and severe threat to organizations using this application.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 06:36

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi organizations across multiple sectors: Government agencies using inventory management systems for procurement and asset tracking; Banking sector for internal inventory and supply chain systems; Healthcare institutions (MOH facilities) managing medical supplies and equipment; Energy sector (ARAMCO, utilities) for asset management; Telecommunications (STC, Mobily) for network equipment inventory; and Retail/E-commerce enterprises. The lack of authentication requirement makes it particularly dangerous for internet-facing deployments. Potential impacts include unauthorized access to sensitive inventory data, financial fraud through inventory manipulation, supply chain disruption, and lateral movement to critical systems.

🏢 Affected Saudi Sectors

Government Banking Healthcare Energy Telecommunications Retail/E-commerce Manufacturing Logistics

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1005 - Data from Local System T1041 - Exfiltration Over C2 Channel T1021 - Remote Services T1078 - Valid Accounts T1110 - Brute Force

⚖️ Saudi Risk Score (AI)

8.5

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Identify all instances of the affected Inventory Webapp in your environment, particularly internet-facing deployments

2. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in GET parameters (name, description, quantity, cat_id) to add-item.php

3. Restrict access to add-item.php to authorized users only using network-level controls

4. Monitor database logs for suspicious SQL queries and unauthorized access attempts



PATCHING GUIDANCE:

1. Apply the available patch immediately to all affected systems

2. Test patches in a non-production environment first

3. Prioritize internet-facing instances for immediate patching

4. Maintain backups before applying patches



COMPENSATING CONTROLS (if patch cannot be applied immediately):

1. Implement input validation and sanitization for all GET parameters

2. Use parameterized queries/prepared statements instead of string concatenation

3. Apply principle of least privilege to database user accounts

4. Disable error messages that reveal database structure

5. Implement rate limiting on add-item.php endpoint



DETECTION RULES:

1. Monitor for SQL keywords in GET parameters: UNION, SELECT, INSERT, DROP, DELETE, OR, AND

2. Alert on multiple failed database queries from same source IP

3. Track unusual database user activity and privilege escalation attempts

4. Log all requests to add-item.php with full parameter values

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. حدد جميع نسخ تطبيق إدارة المخزون المتأثرة في بيئتك، خاصة النشرات المتاحة على الإنترنت

2. طبق قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معاملات GET (name و description و quantity و cat_id) إلى add-item.php

3. قيد الوصول إلى add-item.php للمستخدمين المصرح لهم فقط باستخدام عناصر التحكم على مستوى الشبكة

4. راقب سجلات قاعدة البيانات للاستعلامات المريبة ومحاولات الوصول غير المصرح بها

إرشادات التصحيح:

1. طبق التصحيح المتاح فوراً على جميع الأنظمة المتأثرة

2. اختبر التصحيحات في بيئة غير إنتاجية أولاً

3. أعط الأولوية للنسخ المتاحة على الإنترنت للتصحيح الفوري

4. احتفظ بنسخ احتياطية قبل تطبيق التصحيحات

عناصر التحكم البديلة (إذا لم يكن التصحيح متاحاً فوراً):

1. طبق التحقق من صحة المدخلات والتطهير لجميع معاملات GET

2. استخدم الاستعلامات المعاملة/البيانات المحضرة بدلاً من سلسلة النصوص

3. طبق مبدأ أقل امتياز على حسابات مستخدمي قاعدة البيانات

4. عطل الرسائل التي تكشف عن هيكل قاعدة البيانات

5. طبق تحديد معدل على نقطة نهاية add-item.php

قواعد الكشف:

1. راقب كلمات SQL الرئيسية في معاملات GET: UNION و SELECT و INSERT و DROP و DELETE و OR و AND

2. أصدر تنبيهات عند فشل استعلامات قاعدة البيانات المتعددة من نفس عنوان IP المصدر

3. تتبع نشاط مستخدم قاعدة البيانات غير المعتاد ومحاولات تصعيد الامتيازات

4. سجل جميع الطلبات إلى add-item.php مع قيم المعاملات الكاملة

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.14.2.1 - Secure development policy and procedures A.14.2.5 - Secure development environment A.14.3.1 - Testing of security functionality A.14.3.2 - System change control A.14.3.3 - Testing of security patches

🔵 SAMA CSF

ID.GV-1 - Organizational cybersecurity policy PR.DS-6 - Data is protected from unauthorized access PR.PT-1 - Security policies and procedures are maintained DE.CM-1 - The network is monitored for unauthorized connections

🟡 ISO 27001:2022

A.12.6.1 - Management of technical vulnerabilities A.14.2.1 - Secure development policy A.14.3.1 - Security testing A.12.2.1 - Restriction of access to information

🟣 PCI DSS v4.0.1

6.5.1 - Injection flaws prevention 6.2 - Security patches installation 11.2 - Vulnerability scanning

🔗 References & Sources 2

🔗

https://www.exploit-db.com/exploits/47356

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/inventory-webapp-sql-injection-via-add-itemphp

disclosure@vulncheck.com

📊 CVSS Score

8.2

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity High

CVSS Score8.2

CWECWE-89

EPSS0.07%

Exploit No

Patch ✓ Yes

Published 2026-02-22

Source Feed nvd

🇸🇦 Saudi Risk Score

8.5

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-89

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2019-25443

💬 Comments

Introduce Yourself

Sign In Required