Cyber Resilience

CVE-2019-25497

HighPublic PoC

Published: 27 February 2026

Published
27 February 2026
Modified
04 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0033 24.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2019-25497 is a high-severity SQL Injection (CWE-89) vulnerability in Oscommerce Oscommerce. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2019-25497 is a SQL injection vulnerability in osCommerce version 2.3.4.1, affecting the shopping_cart.php component. The flaw arises from insufficient sanitization of the currency parameter, allowing attackers to inject malicious SQL code into database queries via GET requests. This vulnerability is classified under CWE-89 (SQL Injection) and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its potential for remote information disclosure.

Unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting boolean-based blind SQL injection payloads in the currency parameter, they can manipulate queries to extract sensitive database information, such as user credentials or other confidential data stored in the osCommerce database. The impact primarily targets confidentiality with high effect, alongside low integrity impact, but no availability disruption.

Advisories and related resources, including an Exploit-DB entry (https://www.exploit-db.com/exploits/46328) providing a proof-of-concept, the official osCommerce website (https://www.oscommerce.com), and a VulnCheck advisory (https://www.vulncheck.com/advisories/oscommerce-sql-injection-via-currency-parameter), document the issue but do not specify patch availability in the provided details. Security practitioners should verify for updates on the vendor site and apply input validation or parameterized queries as general mitigations for SQL injection risks.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to…

more

extract sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

CVE enables exploitation of public-facing web application (T1190) via unauthenticated remote SQL injection, facilitating data collection from databases (T1213.006) including sensitive information like user credentials.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2019-25496Same product: Oscommerce Oscommerce
CVE-2019-25495Same product: Oscommerce Oscommerce
CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89

Affected Assets

oscommerce
oscommerce
≤ 2.3.4.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates the SQL injection vulnerability by requiring validation of the unsanitized currency parameter before its use in database queries.

prevent

Addresses the specific flaw in osCommerce 2.3.4.1 shopping_cart.php through timely identification, reporting, and patching of the SQL injection vulnerability.

prevent

Restricts the currency parameter to valid types, lengths, and values, blocking malicious boolean-based SQL injection payloads.

References