📄 Description (English)
Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or error-based techniques.
🤖 AI Executive Summary
CVE-2019-25635 is a critical SQL injection vulnerability in Zeeways Matrimony CMS affecting the profile_list endpoint, allowing unauthenticated attackers to extract sensitive database information through multiple parameters (up_cast, s_mother, s_religion). With a CVSS score of 8.2 and no available patch, this vulnerability poses significant risk to organizations using this CMS, particularly those handling personal and matrimonial data. The lack of authentication requirement makes exploitation trivial and widespread.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Apr 25, 2026 11:33
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi matrimonial services, dating platforms, and CMS-based applications handling personal data. High-risk sectors include: (1) Private matrimonial agencies and online marriage platforms operating in Saudi Arabia; (2) Healthcare organizations using similar CMS platforms for patient data management; (3) Government agencies managing citizen databases; (4) Telecom providers (STC, Mobily, Zain) if using this CMS for customer management; (5) Financial institutions if matrimonial data is linked to banking systems. The exposure of personal information (names, contact details, religious preferences, family information) violates PDPL requirements and could enable identity theft, social engineering, and harassment targeting Saudi citizens.
🏢 Affected Saudi Sectors
Matrimonial Services
Online Dating Platforms
Healthcare (if using CMS for patient data)
Government Agencies
Telecommunications
Financial Services
Content Management Systems
🎯 MITRE ATT&CK Techniques
T1190 - Exploit Public-Facing Application
T1566 - Phishing (via extracted personal data)
T1005 - Data from Local System
T1041 - Exfiltration Over C2 Channel
T1078 - Valid Accounts (database privilege escalation)
T1110 - Brute Force (credential stuffing with extracted data)
T1589 - Gather Victim Identity Information
⚖️ Saudi Risk Score (AI)
8.7
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all instances of Zeeways Matrimony CMS in your environment and isolate affected systems from production networks if possible
2. Implement Web Application Firewall (WAF) rules to block SQL injection patterns in profile_list endpoint parameters (up_cast, s_mother, s_religion)
3. Enable comprehensive logging and monitoring of all database queries from the CMS application
4. Conduct emergency database access review and revoke unnecessary privileges
COMPENSATING CONTROLS (No patch available):
5. Apply input validation and parameterized queries at application level if source code access available
6. Implement rate limiting on profile_list endpoint to prevent automated exploitation
7. Restrict database user permissions to read-only access where possible
8. Deploy database activity monitoring (DAM) solutions to detect suspicious query patterns
9. Implement network segmentation to limit database access from CMS application
10. Consider migrating to alternative, actively maintained matrimonial CMS solutions
DETECTION RULES:
- Monitor for SQL keywords (UNION, SELECT, SLEEP, BENCHMARK) in profile_list parameters
- Alert on unusual database query execution times (time-based injection indicators)
- Track failed database authentication attempts and privilege escalation attempts
- Monitor for data exfiltration patterns (large result sets, multiple sequential queries)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع نسخ Zeeways Matrimony CMS في بيئتك وعزل الأنظمة المتأثرة عن شبكات الإنتاج إن أمكن
2. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب أنماط حقن SQL في معاملات نقطة نهاية profile_list
3. تفعيل التسجيل والمراقبة الشاملة لجميع استعلامات قاعدة البيانات من تطبيق CMS
4. إجراء مراجعة طوارئ لوصول قاعدة البيانات وإلغاء الامتيازات غير الضرورية
الضوابط البديلة (لا يوجد تصحيح متاح):
5. تطبيق التحقق من صحة المدخلات والاستعلامات المعاملة على مستوى التطبيق
6. تطبيق تحديد معدل على نقطة نهاية profile_list لمنع الاستغلال الآلي
7. تقييد أذونات مستخدم قاعدة البيانات للوصول للقراءة فقط حيث أمكن
8. نشر حلول مراقبة نشاط قاعدة البيانات (DAM) للكشف عن أنماط الاستعلام المريبة
9. تطبيق تقسيم الشبكة لتحديد وصول قاعدة البيانات من تطبيق CMS
10. النظر في الهجرة إلى حلول CMS زواج بديلة يتم صيانتها بنشاط
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.5.1.1 - Information Security Policies and Procedures
ECC 2024 A.6.1.2 - Access Control and Authentication
ECC 2024 A.8.2.1 - Input Validation and Output Encoding
ECC 2024 A.8.2.3 - Database Security
ECC 2024 A.12.6.1 - Management of Technical Vulnerabilities
🔵 SAMA CSF
SAMA CSF ID.GV-1 - Organizational context and risk management
SAMA CSF PR.AC-1 - Access control and authentication mechanisms
SAMA CSF PR.DS-1 - Data security and protection
SAMA CSF DE.CM-1 - Detection and monitoring of anomalies
SAMA CSF RS.MI-1 - Incident response and mitigation
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.6.1 - Organizational controls
ISO 27001:2022 A.8.1 - Cryptography and data protection
ISO 27001:2022 A.8.2 - Data security
ISO 27001:2022 A.8.3 - Separation of duties
ISO 27001:2022 A.14.2 - Development security
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.6 - Parameterized queries requirement
PCI DSS 11.2 - Vulnerability scanning and assessment