CVE-2019-25529
Published: 12 March 2026
Summary
CVE-2019-25529 is a high-severity SQL Injection (CWE-89) vulnerability in Sourceforge (inferred from references). Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 11.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2019-25529 is an SQL injection vulnerability (CWE-89) in Placeto CMS Alpha rv.4. The flaw resides in the admin/edit.php endpoint, where the 'page' parameter fails to properly sanitize user input, allowing attackers to inject SQL code and manipulate database queries.
Authenticated attackers with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction required. By crafting GET requests to admin/edit.php with malicious 'page' parameter values, they can employ boolean-based blind, time-based blind, or union-based SQL injection techniques to extract sensitive database information. The issue carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N), reflecting high confidentiality impact, low integrity impact, and no availability impact.
Advisories and resources include the VulnCheck advisory at https://www.vulncheck.com/advisories/placeto-cms-alpha-rv-4-sql-injection-via-page-parameter, a proof-of-concept exploit on Exploit-DB at https://www.exploit-db.com/exploits/46588, the project page at https://sourceforge.net/projects/placeto/, and the affected Alpha rv.4 download at https://sourceforge.net/projects/placeto/files/alpha-rv.4/placeto.zip. No patches or specific mitigation steps are detailed in the provided references.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-19811
Vulnerability details
Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. Attackers can send GET requests to the admin/edit.php endpoint with malicious 'page' values using boolean-based…
more
blind, time-based blind, or union-based techniques to extract sensitive database information.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct SQL injection in a web application admin endpoint (admin/edit.php) enables remote exploitation of a public-facing CMS to extract database data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and sanitization of the 'page' parameter in admin/edit.php to block SQL injection payloads.
Limits the database objects and data an authenticated low-privilege user can reach even when an injection succeeds.
Enables monitoring of anomalous SQL statements or excessive data returned from the edit.php endpoint.