📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global vulnerability Software Development and Technology CRITICAL 2h Global vulnerability Software Development / Technology CRITICAL 3h Global apt Financial Services, Cryptocurrency CRITICAL 11h Global ransomware General/Cross-sector HIGH 11h Global vulnerability Technology/Software Development CRITICAL 11h Global insider Government, Intelligence, Cybersecurity HIGH 12h Global ransomware Multiple sectors HIGH 12h Global malware Multiple sectors HIGH 13h Global supply_chain Technology/SaaS HIGH 13h Global general Cybersecurity and Risk Management MEDIUM 14h Global vulnerability Software Development and Technology CRITICAL 2h Global vulnerability Software Development / Technology CRITICAL 3h Global apt Financial Services, Cryptocurrency CRITICAL 11h Global ransomware General/Cross-sector HIGH 11h Global vulnerability Technology/Software Development CRITICAL 11h Global insider Government, Intelligence, Cybersecurity HIGH 12h Global ransomware Multiple sectors HIGH 12h Global malware Multiple sectors HIGH 13h Global supply_chain Technology/SaaS HIGH 13h Global general Cybersecurity and Risk Management MEDIUM 14h Global vulnerability Software Development and Technology CRITICAL 2h Global vulnerability Software Development / Technology CRITICAL 3h Global apt Financial Services, Cryptocurrency CRITICAL 11h Global ransomware General/Cross-sector HIGH 11h Global vulnerability Technology/Software Development CRITICAL 11h Global insider Government, Intelligence, Cybersecurity HIGH 12h Global ransomware Multiple sectors HIGH 12h Global malware Multiple sectors HIGH 13h Global supply_chain Technology/SaaS HIGH 13h Global general Cybersecurity and Risk Management MEDIUM 14h
Vulnerabilities

CVE-2019-25489

High
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET
CWE-89 — Weakness Type
Published: Feb 27, 2026  ·  Modified: Feb 28, 2026  ·  Source: NVD
CVSS v3
8.2
🔗 NVD Official
📄 Description (English)

Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service.

🤖 AI Executive Summary

CVE-2019-25489 is a critical SQL injection vulnerability in Homey BNB V4 affecting the rooms/ajax_refresh_subtotal endpoint. Unauthenticated attackers can inject malicious SQL code through the hosting_id parameter to extract sensitive database information or cause denial of service. With a CVSS score of 8.2 and no authentication required, this vulnerability poses significant risk to organizations using this platform.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 08:54
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi hospitality and tourism sector organizations using Homey BNB V4 platform. At-risk sectors include: (1) Tourism & Hospitality - hotel chains and property management companies relying on Homey BNB for booking systems; (2) Small-to-Medium Enterprises (SMEs) - property owners and vacation rental operators; (3) Travel & Tourism agencies integrating with Homey BNB. The vulnerability enables unauthorized database access, potential theft of guest personal information (names, contact details, payment information), booking data manipulation, and service disruption affecting customer trust and regulatory compliance with SAMA data protection requirements.
🏢 Affected Saudi Sectors
Hospitality & Tourism Travel & Booking Services Property Management Small-to-Medium Enterprises (SMEs) E-commerce (vacation rentals)
⚖️ Saudi Risk Score (AI)
8.5
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Identify all systems running Homey BNB V4 and isolate them from public internet access if possible

2. Review access logs for rooms/ajax_refresh_subtotal endpoint for suspicious activity (unusual hosting_id parameters, SQL keywords)

3. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in hosting_id parameter



PATCHING:

4. Apply available patches immediately to all Homey BNB V4 installations

5. Verify patch deployment and test functionality post-update



COMPENSATING CONTROLS (if patch unavailable):

6. Implement input validation: whitelist only numeric values for hosting_id parameter

7. Use parameterized queries/prepared statements in application code

8. Apply principle of least privilege to database user accounts

9. Enable database query logging and monitoring for suspicious patterns



DETECTION:

10. Monitor for HTTP GET requests to /rooms/ajax_refresh_subtotal with SQL keywords (UNION, SELECT, DROP, INSERT, etc.)

11. Alert on unusual database query patterns or failed authentication attempts

12. Implement IDS/IPS signatures for SQL injection attempts
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تحديد جميع الأنظمة التي تعمل بـ Homey BNB V4 وعزلها عن الإنترنت العام إن أمكن

2. مراجعة سجلات الوصول لنقطة النهاية rooms/ajax_refresh_subtotal للبحث عن نشاط مريب (معاملات hosting_id غير عادية، كلمات SQL)

3. تطبيق قواعد جدار الحماية لتطبيقات الويب (WAF) لحجب أنماط حقن SQL في معامل hosting_id



تطبيق التصحيحات:

4. تطبيق التصحيحات المتاحة فوراً على جميع تثبيتات Homey BNB V4

5. التحقق من نشر التصحيح واختبار الوظائف بعد التحديث



الضوابط البديلة (إذا لم يكن التصحيح متاحاً):

6. تطبيق التحقق من المدخلات: السماح فقط بالقيم الرقمية لمعامل hosting_id

7. استخدام الاستعلامات المعاملة/البيانات المحضرة في كود التطبيق

8. تطبيق مبدأ أقل امتياز لحسابات مستخدمي قاعدة البيانات

9. تفعيل تسجيل الاستعلامات ومراقبة قاعدة البيانات للأنماط المريبة



الكشف:

10. مراقبة طلبات HTTP GET إلى /rooms/ajax_refresh_subtotal التي تحتوي على كلمات SQL (UNION, SELECT, DROP, INSERT، إلخ)

11. تنبيه عند أنماط استعلامات قاعدة بيانات غير عادية أو محاولات مصادقة فاشلة

12. تطبيق توقيعات IDS/IPS لمحاولات حقن SQL
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy and procedures A.14.2.5 - Secure development environment A.12.6.1 - Management of technical vulnerabilities A.12.2.1 - Monitoring of system use
🔵 SAMA CSF
ID.RA-1 - Asset management and inventory PR.DS-6 - Integrity checking mechanisms DE.CM-1 - The network is monitored for unauthorized connections RS.MI-2 - Incidents are mitigated
🟡 ISO 27001:2022
A.14.2.1 - Secure development policy A.14.2.5 - Secure development environment A.12.6.1 - Management of technical vulnerabilities A.13.1.3 - Segregation of networks
🟣 PCI DSS v4.0
6.5.1 - Injection flaws prevention 6.2 - Security patches and updates 11.2 - Vulnerability scanning
📊 CVSS Score
8.2
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionN — None / Network
ScopeU — Unchanged
ConfidentialityH — High
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity High
CVSS Score8.2
CWECWE-89
EPSS0.06%
Exploit No
Patch ✓ Yes
Published 2026-02-27
Source Feed nvd
Views 5
🇸🇦 Saudi Risk Score
8.5
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-89
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.