Cyber Resilience

CVE-2019-25505

HighPublic PoC

Published: 04 March 2026

Published
04 March 2026
Modified
09 March 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 11.6th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2019-25505 is a high-severity SQL Injection (CWE-89) vulnerability in Bdtask Tradebox. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

Tradebox 5.4 is affected by CVE-2019-25505, an SQL injection vulnerability (CWE-89) in the monthly_deposit endpoint. The flaw arises when the application fails to properly sanitize the symbol parameter in POST requests, allowing attackers to inject malicious SQL code and manipulate database queries. This vulnerability, assigned a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), enables extraction of sensitive database information through techniques such as boolean-based blind, time-based blind, error-based, or union-based SQL injection.

Authenticated attackers with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low complexity and no user interaction required. By sending crafted POST requests to the monthly_deposit endpoint with malicious values in the symbol parameter, they can achieve high-impact confidentiality breaches by dumping sensitive data, alongside limited integrity impacts, but without affecting availability.

Mitigation details are not specified in the CVE description. Security practitioners should consult referenced advisories, including the VulnCheck advisory at https://www.vulncheck.com/advisories/tradebox-sql-injection-via-symbol-parameter and the Exploit-DB entry at https://www.exploit-db.com/exploits/46671, which documents a proof-of-concept exploit.

EU & UK References

Vulnerability details

Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthly_deposit endpoint with malicious symbol values using boolean-based blind, time-based…

more

blind, error-based, or union-based SQL injection techniques to extract sensitive database information.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct network-exploitable SQLi in public-facing web endpoint enables T1190; data extraction impact does not map to additional specific techniques without further assumptions.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-1597Same vendor: Bdtask
CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89

Affected Assets

bdtask
tradebox
5.4

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the symbol parameter in POST requests to the monthly_deposit endpoint, directly blocking all forms of SQL injection described in the CVE.

prevent

Mandates suppression of detailed error messages that would otherwise enable error-based SQL injection and sensitive data leakage from the database.

prevent

Limits the data-access privileges of authenticated users so that even a successful injection via the symbol parameter yields minimal sensitive information.

References