📄 Description (English)
Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers can send POST requests to the ajax/productsFilterSearch endpoint with malicious 'q' values using time-based blind SQL injection techniques to extract sensitive database information.
🤖 AI Executive Summary
CVE-2019-25461 is a critical SQL injection vulnerability in Web Ofisi Platinum E-Ticaret v5.0.0 affecting the ajax/productsFilterSearch endpoint. Unauthenticated attackers can exploit the 'q' parameter using time-based blind SQL injection to extract sensitive database information. With an available exploit and CVSS 8.2 score, this poses immediate risk to e-commerce platforms and their customer data.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 06:37
🇸🇦 Saudi Arabia Impact Assessment
Saudi e-commerce platforms, online retailers, and businesses using Web Ofisi Platinum v5.0.0 are at direct risk. Banking sector exposure is moderate if integrated with payment gateways. Government procurement portals and ARAMCO supply chain platforms using this software face data breach risks. Telecom sector (STC, Mobily) e-commerce services could be compromised. Customer PII, transaction records, and business intelligence data are at risk of extraction.
🏢 Affected Saudi Sectors
E-Commerce and Retail
Banking and Financial Services
Government and Public Sector
Energy (ARAMCO supply chain)
Telecommunications (STC, Mobily)
Healthcare (if using for patient portals)
Logistics and Supply Chain
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of Web Ofisi Platinum E-Ticaret v5.0.0 in your environment
2. Disable or restrict access to ajax/productsFilterSearch endpoint immediately
3. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in 'q' parameter
4. Monitor database logs for suspicious query patterns and time-based delays
PATCHING:
5. Apply vendor patch to upgrade beyond v5.0.0 immediately
6. Test patches in staging environment before production deployment
7. Verify patch effectiveness by attempting known SQL injection payloads
COMPENSATING CONTROLS (if patch unavailable):
8. Implement input validation: whitelist allowed characters, reject special SQL characters
9. Use parameterized queries/prepared statements for all database interactions
10. Apply principle of least privilege to database user accounts
11. Enable database query logging and alerting for suspicious patterns
DETECTION:
12. Monitor for POST requests to ajax/productsFilterSearch with SQL keywords (UNION, SELECT, SLEEP, BENCHMARK)
13. Alert on response time anomalies (>5 second delays indicating time-based blind SQLi)
14. Track failed database authentication attempts and unusual query execution
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع حالات Web Ofisi Platinum E-Ticaret v5.0.0 في بيئتك
2. تعطيل أو تقييد الوصول إلى نقطة نهاية ajax/productsFilterSearch فوراً
3. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل 'q'
4. مراقبة سجلات قاعدة البيانات للأنماط المريبة والتأخيرات المستندة إلى الوقت
التصحيح:
5. تطبيق تصحيح البائع للترقية إلى ما بعد v5.0.0 فوراً
6. اختبار التصحيحات في بيئة التجميع قبل نشر الإنتاج
7. التحقق من فعالية التصحيح بمحاولة حمولات حقن SQL المعروفة
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
8. تنفيذ التحقق من الإدخال: قائمة بيضاء للأحرف المسموحة، رفض أحرف SQL الخاصة
9. استخدام الاستعلامات المعاملة/البيانات المحضرة لجميع تفاعلات قاعدة البيانات
10. تطبيق مبدأ أقل امتياز لحسابات مستخدمي قاعدة البيانات
11. تفعيل تسجيل الاستعلامات وتنبيهات قاعدة البيانات للأنماط المريبة
الكشف:
12. مراقبة طلبات POST إلى ajax/productsFilterSearch بكلمات SQL (UNION, SELECT, SLEEP, BENCHMARK)
13. التنبيه على شذوذ وقت الاستجابة (تأخيرات >5 ثوان تشير إلى SQLi العمياء المستندة إلى الوقت)
14. تتبع محاولات المصادقة الفاشلة في قاعدة البيانات وتنفيذ الاستعلامات غير العادية
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.BE-3 - Organizational resilience
SAMA CSF PR.AC-1 - Access control policy and procedures
SAMA CSF PR.DS-2 - Data security and protection
SAMA CSF DE.CM-1 - Detection and analysis
🟡 ISO 27001:2022
ISO 27001:2022 A.5.23 - Information security for supplier relationships
ISO 27001:2022 A.8.1 - Organizational controls for information security
ISO 27001:2022 A.8.2 - Mobile device and teleworking
ISO 27001:2022 A.12.2 - Logging
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.2 - Security patches and updates
PCI DSS 10.2 - Logging and monitoring
🔗 References & Sources 3
🔗
https://www.exploit-db.com/exploits/47140
disclosure@vulncheck.com
Exploit
🔗
https://www.vulncheck.com/advisories/web-ofisi-platinum-e-ticaret-sql-injection-via-aja...
disclosure@vulncheck.com
Broken Link
🔗
https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html
disclosure@vulncheck.com
Product
📦 Affected Products / CPE 1 entries
web-ofisi:ticaret:5.0.0