CVE-2019-25506 — HIGH (8.2)

Q: How severe is CVE-2019-25506?

CVE-2019-25506 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2019-25506?

Check the references section above for vendor advisories and patch information. Affected products include: Freesms Project Freesms.

Vulnerability Description

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

CVSS Score

8.2

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Freesms Project	Freesms	<= 2.1.2

Related Weaknesses (CWE)

CWE-89

References

https://www.exploit-db.com/exploits/46658ExploitVDB Entry
https://www.vulncheck.com/advisories/freesms-authentication-bypass-via-sql-injecThird Party Advisory

FAQ

What is CVE-2019-25506?

CVE-2019-25506 is a vulnerability with a CVSS score of 8.2 (HIGH). FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the logi...

How severe is CVE-2019-25506?

CVE-2019-25506 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2019-25506?

Check the references section above for vendor advisories and patch information. Affected products include: Freesms Project Freesms.