CVE-2019-25505
Published: 04 March 2026
Summary
CVE-2019-25505 is a high-severity SQL Injection (CWE-89) vulnerability in Bdtask Tradebox. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
Tradebox 5.4 is affected by CVE-2019-25505, an SQL injection vulnerability (CWE-89) in the monthly_deposit endpoint. The flaw arises when the application fails to properly sanitize the symbol parameter in POST requests, allowing attackers to inject malicious SQL code and manipulate database queries. This vulnerability, assigned a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), enables extraction of sensitive database information through techniques such as boolean-based blind, time-based blind, error-based, or union-based SQL injection.
Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By sending crafted POST requests to the monthly_deposit endpoint with malicious values in the symbol parameter, they can achieve high-impact confidentiality breaches by dumping sensitive data, alongside limited integrity impacts, but without affecting availability.
Mitigation details are not specified in the CVE description. Security practitioners should consult referenced advisories, including the VulnCheck advisory at https://www.vulncheck.com/advisories/tradebox-sql-injection-via-symbol-parameter and the Exploit-DB entry at https://www.exploit-db.com/exploits/46671, which documents a proof-of-concept exploit.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19731
Vulnerability details
Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthly_deposit endpoint with malicious symbol values using boolean-based blind, time-based…
more
blind, error-based, or union-based SQL injection techniques to extract sensitive database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct network-exploitable SQLi in public-facing web endpoint enables T1190; data extraction impact does not map to additional specific techniques without further assumptions.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the symbol parameter in POST requests to the monthly_deposit endpoint, directly blocking all forms of SQL injection described in the CVE.
Mandates suppression of detailed error messages that would otherwise enable error-based SQL injection and sensitive data leakage from the database.
Limits the data-access privileges of authenticated users so that even a successful injection via the symbol parameter yields minimal sensitive information.