CVE-2019-25303
Published: 06 February 2026
Summary
CVE-2019-25303 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2019-25303 is a SQL injection vulnerability in TheJshen ContentManagementSystem version 1.04. The issue affects the 'id' GET parameter, which fails to properly sanitize user input, allowing attackers to manipulate database queries. Exploitation is possible via boolean-based, time-based, and UNION-based SQL injection techniques, enabling the extraction or manipulation of database information. The vulnerability is rated with a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-89.
The vulnerability can be exploited by remote attackers who possess low privileges, such as authenticated users, due to the PR:L requirement in the CVSS vector. No user interaction is needed, and attacks can be launched over the network with low complexity. Successful exploitation grants high confidentiality impact through data extraction and low integrity impact via database manipulation, without disrupting availability.
Advisories and related resources include a VulnCheck advisory detailing the SQL injection in the 'id' parameter, an Exploit-DB entry (47569) with a proof-of-concept exploit, and the GitHub repository for TheJshen ContentManagementSystem. No specific patches or mitigation steps are detailed in the provided information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19403
Vulnerability details
TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'id' GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query…
more
payloads.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public-facing web CMS directly enables remote exploitation (T1190) and unauthorized database data extraction/manipulation (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'id' GET parameter to block boolean/time/UNION-based SQL payloads before they reach the database.
Limits the database privileges available to the low-privilege authenticated accounts that can exploit the injection, reducing the scope of data extraction or manipulation.
Requires timely remediation of the identified SQL injection flaw in the ContentManagementSystem 1.04 code.