Cyber Resilience

CVE-2019-25455

HighPublic PoC

Published: 22 February 2026

Published
22 February 2026
Modified
02 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0040 31.4th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25455 is a high-severity SQL Injection (CWE-89) vulnerability in Web-Ofisi E-Ticaret. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25455 is an SQL injection vulnerability (CWE-89) affecting Web Ofisi E-Ticaret v3. The flaw allows unauthenticated attackers to inject SQL code through the 'a' parameter, enabling manipulation of database queries. Attackers can send GET requests with malicious 'a' parameter values to extract sensitive database information. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting network accessibility, low attack complexity, no privileges required, and high confidentiality impact.

Unauthenticated remote attackers can exploit this vulnerability without user interaction. By crafting GET requests with specially injected SQL payloads in the 'a' parameter, they can achieve unauthorized extraction of sensitive data from the underlying database, such as user credentials, orders, or other business information hosted by the e-commerce platform.

Advisories referenced in the CVE include an Exploit-DB entry (47139) demonstrating a working exploit, a VulnCheck advisory detailing the SQL injection via ara.html, and a vendor product page for E-Ticaret v3 sanal POS. No specific patches or mitigation steps are detailed in the provided CVE information.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database…

more

information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in unauthenticated public-facing web app directly enables T1190 for initial access and database data extraction.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25210Same product: Web-Ofisi E-Ticaret
CVE-2019-25461Same vendor: Web-Ofisi
CVE-2019-25457Same vendor: Web-Ofisi
CVE-2019-25458Same vendor: Web-Ofisi
CVE-2019-25459Same vendor: Web-Ofisi
CVE-2019-25460Same vendor: Web-Ofisi
CVE-2019-25456Same vendor: Web-Ofisi
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89
CVE-2025-28939Shared CWE-89

Affected Assets

web-ofisi
e-ticaret
3.0.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 directly prevents SQL injection by requiring validation and sanitization of untrusted inputs like the 'a' parameter in GET requests.

prevent

SI-9 enforces restrictions on information inputs such as whitelisting allowed values or formats for the 'a' parameter to block malicious SQL payloads.

prevent

SI-2 requires timely identification, reporting, and correction of specific flaws like this SQL injection vulnerability in the Web Ofisi E-Ticaret v3 application.

References