CVEDB API

Vulnerabilities

By Date
Known Exploited
Advanced Search

Vulnerable Software

Vendors
Products

Vulnerability Details CVE-2019-25675

eDirectory contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to bypass administrator authentication and disclose sensitive files by injecting SQL code into parameters. Attackers can exploit the key parameter in the login endpoint with union-based SQL injection to authenticate as administrator, then leverage authenticated file disclosure vulnerabilities in language_file.php to read arbitrary PHP files from the server.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.002

EPSS Ranking 40.9%

CVSS Severity

CVSS v3 Score 8.2

References

https://www.edirectory.com/
https://www.exploit-db.com/exploits/46423
https://www.vulncheck.com/advisories/edirectory-all-versions-sql-injection-authentication-bypass

Products affected by CVE-2019-25675

Arcasolutions » Edirectory » Version: Any

cpe:2.3:a:arcasolutions:edirectory:*

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2019-25675

Products

Pricing

Contact Us