CVE-2019-25678
8.8
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Summary
C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the site parameter. Attackers can send GET requests to the users_select.php endpoint with crafted SQL payloads to extract sensitive database information including patient records and system credentials.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| C4G | Basic Laboratory Information System | 3.4 | affected |
Weaknesses
- CWE-306: Missing Authentication for Critical Function
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: partial
References
- https://www.exploit-db.com/exploits/46438
- https://www.vulncheck.com/advisories/c4g-blis-sql-injection-via-users-select-php
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.