CVE-2019-25513
Published: 12 March 2026
Summary
CVE-2019-25513 is a high-severity SQL Injection (CWE-89) vulnerability in Jettweb Php Stock News Site Script. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 42.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25513 is an SQL injection vulnerability (CWE-89) in Jettweb PHP Hazir Haber Sitesi Scripti V3. The flaw resides in the datagetir.php component, where the 'q' parameter fails to properly sanitize user input, allowing attackers to inject arbitrary SQL code into database queries.
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By sending crafted GET requests to datagetir.php with malicious values in the 'q' parameter, attackers can perform time-based blind SQL injection to extract sensitive database information or bypass authentication mechanisms. The CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects high confidentiality impact with low integrity impact and no availability disruption.
Advisories from Exploit-DB (exploit 46599) and Vulncheck document the vulnerability, including proof-of-concept exploits demonstrating the time-based blind SQL injection technique via the 'q' parameter in datagetir.php. No patches or specific mitigations are detailed in the provided references.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19786
Vulnerability details
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers can send GET requests to datagetir.php with malicious 'q' values using…
more
time-based blind SQL injection techniques to extract sensitive database information or bypass authentication.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The SQL injection vulnerability in a public-facing web application (datagetir.php) enables unauthenticated remote exploitation (T1190) to extract sensitive database information via time-based blind SQLi (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents SQL injection by requiring validation and sanitization of user inputs like the 'q' parameter in datagetir.php before database query execution.
Mandates identification, reporting, and correction of the specific SQL injection flaw in datagetir.php to eliminate the vulnerability.
Boundary protection with web application firewalls can inspect and block malicious SQL injection payloads in unauthenticated GET requests to datagetir.php.