CVE-2019-25100

08.01.2023, 11:15

A vulnerability was found in happyman twmap. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file twmap3/data/ajaxCRUD/pointdata2.php. The manipulation of the argument id leads to sql injection. Upgrading to version v2.9_v4.31 is able to address this issue. The identifier of the patch is babbec79b3fa4efb3bd581ea68af0528d11bba0c. It is recommended to upgrade the affected component. The identifier VDB-217645 was assigned to this vulnerability.

SQL Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.5 MEDIUM	ADJACENT_NETWORK	LOW	LOW	CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
VulDB	CNA	5.5 MEDIUM				CVSS:3.0/AV:A/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
CVE	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 16%

Vendor	Product	Version
twmap_project	twmap	𝑥 < 2.91_4.31

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.

References

https://github.com/happyman/twmap/commit/babbec79b3fa4efb3bd581ea68af0528d11bba0c

https://github.com/happyman/twmap/issues/42

https://github.com/happyman/twmap/releases/tag/v2.9_v4.31

https://vuldb.com/?ctiid.217645

https://vuldb.com/?id.217645

https://github.com/happyman/twmap/commit/babbec79b3fa4efb3bd581ea68af0528d11bba0c

https://github.com/happyman/twmap/issues/42

https://github.com/happyman/twmap/releases/tag/v2.9_v4.31

https://vuldb.com/?ctiid.217645

https://vuldb.com/?id.217645