CVE-2019-25713
Published: 12 April 2026
Summary
CVE-2019-25713 is a high-severity SQL Injection (CWE-89) vulnerability in Myt Project Myt. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2019-25713 is an SQL injection vulnerability (CWE-89) in MyT-PM version 1.5.1. The issue arises from insufficient input validation of the Charge[group_total] parameter, enabling attackers to inject malicious SQL code through crafted POST requests to the /charge/admin endpoint. This allows execution of arbitrary SQL queries using error-based, time-based blind, or stacked query payloads.
Authenticated attackers with low privileges (PR:L) can exploit the vulnerability remotely (AV:N) with low attack complexity (AC:L) and no user interaction (UI:N). Successful exploitation grants high confidentiality impact (C:H) through extraction of sensitive database information and low integrity impact (I:L) via data manipulation, with no availability impact (A:N) and unchanged scope (S:U). The CVSS v3.1 base score is 7.1.
References include an Exploit-DB proof-of-concept (exploit 46084), a Vulncheck advisory on the SQL injection via the Charge[group_total] parameter, the MyT-PM SourceForge project page, and the official manageyourteam.net site. Security practitioners should review these sources for any patch information or mitigation recommendations.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2019-20149
Vulnerability details
MyT-PM 1.5.1 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the Charge[group_total] parameter. Attackers can submit crafted POST requests to the /charge/admin endpoint with error-based, time-based blind, or stacked…
more
query payloads to extract sensitive database information or manipulate data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web app directly enables T1190 exploitation; arbitrary queries facilitate DB data access (T1213.006) and manipulation (T1565.001).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly mitigates SQL injection by requiring validation mechanisms for inputs like the Charge[group_total] parameter to block malicious SQL payloads in POST requests to /charge/admin.
Mandates identification, reporting, and correction of the specific SQL injection flaw in MyT-PM 1.5.1, including patching to eliminate the vulnerability.
Prevents information disclosure from database errors exploited in error-based SQL injection attacks via the Charge[group_total] parameter.