CVE-2019-25508
Published: 12 March 2026
Summary
CVE-2019-25508 is a high-severity SQL Injection (CWE-89) vulnerability in Jettweb Php Ready Advertisement Site Script. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25508 is an SQL injection vulnerability (CWE-89) in Jettweb Php Hazir Ilan Sitesi Scripti V2. The flaw resides in the katgetir.php endpoint, where the 'kat' parameter fails to properly sanitize user input, enabling attackers to inject arbitrary SQL code into database queries. Published on 2026-03-12, it carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high severity due to its network accessibility and lack of prerequisites.
Unauthenticated remote attackers can exploit this vulnerability by sending GET requests to katgetir.php with malicious values in the 'kat' parameter. Successful exploitation allows manipulation of database queries to extract sensitive information, with potential for limited data modification but no denial of service.
Advisories from Vulncheck (https://www.vulncheck.com/advisories/jettweb-php-hazir-ilan-sitesi-scripti-v2-sql-injection-via-katgetir-php) and a proof-of-concept on Exploit-DB (https://www.exploit-db.com/exploits/46606) document the issue, though specific patch details are not provided in available descriptions. Security practitioners should review these resources for mitigation guidance, such as input validation or upgrading the affected script.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19776
Vulnerability details
Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. Attackers can send GET requests to the katgetir.php endpoint with malicious 'kat'…
more
values to extract sensitive database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated network exploitation of a public-facing web app via SQL injection in katgetir.php.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation of untrusted inputs like the 'kat' parameter before inclusion in database queries.
Ensures timely identification, reporting, and correction of the specific SQL injection flaw in katgetir.php.
Restricts the 'kat' parameter to specific types, formats, and lengths to block common SQL injection payloads.