CVE-2019-25538
Published: 12 March 2026
Summary
CVE-2019-25538 is a high-severity SQL Injection (CWE-89) vulnerability in Konradpl99 202Cms. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 45.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by requiring validation of the log_user parameter to reject malicious SQL code.
SI-9 enforces restrictions on the log_user input at system boundaries to block SQL injection attempts through format and content limits.
SI-2 requires identification and remediation of the specific SQL injection flaw in 202CMS v10 beta's log_user parameter handling.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
CVE-2019-25538 is an unauthenticated SQL injection in a public-facing CMS (T1190: Exploit Public-Facing Application), enabling database query manipulation for sensitive data extraction like credentials (T1213.006: Databases).
NVD Description
202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. Attackers can send crafted requests with malicious SQL statements in the log_user field to extract sensitive…
more
database information or modify database contents.
Deeper analysisAI
CVE-2019-25538 is an SQL injection vulnerability in 202CMS v10 beta, specifically through the log_user parameter. This flaw allows attackers to inject malicious SQL code into database queries, as the parameter fails to properly sanitize user input. Affected systems are instances of 202CMS v10 beta, a content management system hosted on SourceForge under the project name b202cms. The vulnerability is classified under CWE-89 and carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability disruption.
Unauthenticated remote attackers can exploit this vulnerability by sending crafted HTTP requests containing malicious SQL statements in the log_user field. Successful exploitation enables manipulation of database queries, allowing extraction of sensitive information such as user credentials or other confidential data, or limited modification of database contents. The lack of authentication requirements (PR:N) and low attack complexity (AC:L) make it accessible to any network adversary without user interaction.
References include the 202CMS project page on SourceForge, a proof-of-concept exploit on Exploit-DB (ID 46579), and a detailed advisory from Vulncheck describing the SQL injection via the log_user parameter. No patches or specific mitigation steps are detailed in the provided information, emphasizing the need for input validation and prepared statements in similar applications.
Details
- CWE(s)