CVE-2019-25455
Published: 22 February 2026
Summary
CVE-2019-25455 is a high-severity SQL Injection (CWE-89) vulnerability in Web-Ofisi E-Ticaret. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25455 is an SQL injection vulnerability (CWE-89) affecting Web Ofisi E-Ticaret v3. The flaw allows unauthenticated attackers to inject SQL code through the 'a' parameter, enabling manipulation of database queries. Attackers can send GET requests with malicious 'a' parameter values to extract sensitive database information. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility, low attack complexity, no privileges required, and high confidentiality impact.
Unauthenticated remote attackers can exploit this vulnerability without user interaction. By crafting GET requests with specially injected SQL payloads in the 'a' parameter, they can achieve unauthorized extraction of sensitive data from the underlying database, such as user credentials, orders, or other business information hosted by the e-commerce platform.
Advisories referenced in the CVE include an Exploit-DB entry (47139) demonstrating a working exploit, a VulnCheck advisory detailing the SQL injection via ara.html, and a vendor product page for E-Ticaret v3 sanal POS. No specific patches or mitigation steps are detailed in the provided CVE information.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19599
Vulnerability details
Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database…
more
information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in unauthenticated public-facing web app directly enables T1190 for initial access and database data extraction.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the 'a' parameter in GET requests.
SI-9 enforces restrictions on information inputs such as whitelisting allowed values or formats for the 'a' parameter to block malicious SQL payloads.
SI-2 requires timely identification, reporting, and correction of specific flaws like this SQL injection vulnerability in the Web Ofisi E-Ticaret v3 application.