CVE-2019-25325

EUVD-2019-19447
Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application.
SQL Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
VulnCheckCNA
8.2 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: 53%
Common Weakness Enumeration
References
https://cxsecurity.com/issue/WLB-2020010019
https://exchange.xforce.ibmcloud.com/vulnerabilities/173728
https://packetstorm.news/files/id/155797
https://www.exploit-db.com/exploits/47814
https://www.vulncheck.com/advisories/thrive-smart-home-smart-home-improper-limitation-o
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php