Cyber Resilience

CVE-2019-25473

HighPublic PoC

Published: 12 March 2026

Published
12 March 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25473 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SC-7 (Boundary Protection).

Deeper analysis

Clinic Pro is affected by CVE-2019-25473, a SQL injection vulnerability (CWE-89) in the monthly_expense_overview endpoint. The flaw arises from insufficient sanitization of the month parameter in POST requests, enabling attackers to inject malicious SQL code into database queries. This issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low privileges required.

Authenticated attackers with low privileges can exploit this vulnerability over the network with low complexity and no user interaction. By crafting the month parameter using boolean-based blind, time-based blind, or error-based SQL injection techniques, they can manipulate queries to extract sensitive database information, such as patient records or financial data, without affecting availability.

Advisories and proof-of-concept exploits are documented in references including Exploit-DB (https://www.exploit-db.com/exploits/46642) and VulnCheck (https://www.vulncheck.com/advisories/clinic-pro-sql-injection-via-monthly-expense-overview-month-parameter), which detail the injection methods but do not specify patches or mitigations in the available information. Security practitioners should verify vendor updates for Clinic Pro and implement input validation, prepared statements, or web application firewalls to prevent exploitation.

EU & UK References

Vulnerability details

Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter. Attackers can send POST requests to the monthly_expense_overview endpoint with crafted month values using boolean-based blind, time-based…

more

blind, or error-based SQL injection techniques to extract sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in web app endpoint directly enables exploitation of public-facing application for initial access and extraction of data from databases.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2019-25537Shared CWE-89
CVE-2019-25366Shared CWE-89
CVE-2019-25496Shared CWE-89
CVE-2026-1475Shared CWE-89
CVE-2026-26990Shared CWE-89
CVE-2026-44047Shared CWE-89
CVE-2025-12865Shared CWE-89
CVE-2024-11135Shared CWE-89
CVE-2019-25491Shared CWE-89
CVE-2024-13369Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and sanitization of the month parameter in POST requests to block SQL injection payloads before they reach the database query.

prevent

Boundary protection devices such as a WAF can inspect and block SQLi attempts targeting the monthly_expense_overview endpoint.

prevent

Requires timely remediation of the identified SQL injection flaw via vendor patches or code fixes using prepared statements.

References