exploitDog

CVE-2019-25580

Опубликовано: 21 мар. 2026

Источник: nvd

CVSS3: 8.2

EPSS Низкий

Описание

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.

Ссылки

http://www.owndms.com/
Broken Link
https://datapacket.dl.sourceforge.net/project/owndms/owndms_47.zip
Broken Link
https://www.exploit-db.com/exploits/46168
Exploit
VDB Entry
https://www.vulncheck.com/advisories/owndms-sql-injection-via-pdfstream-php-imagestream-php
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:owndms:owndms:*:*:*:*:*:*:*:*

Версия до 4.7 (включая)

EPSS

Процентиль: 17%

0.00055

Низкий

8.2 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

GHSA-5jvc-6gmm-9m79

CVSS3: 8.2

github

около 1 месяца назад

ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.

EPSS

Процентиль: 17%

0.00055

Низкий

8.2 High

CVSS3

Дефекты

CWE-434