{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2019-25713/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.1,"id":"CVE-2019-25713"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve-2019-25713"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eMyT-PM 1.5.1 is susceptible to an SQL injection vulnerability (CVE-2019-25713) that enables authenticated attackers to execute arbitrary SQL queries. This vulnerability exists due to insufficient input sanitization of the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter. By sending specially crafted POST requests to the \u003ccode\u003e/charge/admin\u003c/code\u003e endpoint, an attacker can inject malicious SQL code, potentially leading to sensitive data extraction, data manipulation, or other unauthorized actions. This vulnerability poses a significant risk to organizations using MyT-PM 1.5.1 as it could compromise the integrity and confidentiality of their data.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker authenticates to the MyT-PM 1.5.1 application.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious POST request targeting the \u003ccode\u003e/charge/admin\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eWithin the POST request, the attacker injects SQL code into the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe application processes the request without properly sanitizing the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the underlying database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the SQL injection to extract sensitive data (e.g., user credentials, financial information) using error-based, time-based blind, or stacked query payloads.\u003c/li\u003e\n\u003cli\u003eThe attacker may further manipulate data within the database, potentially altering records or creating new entries.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves complete control over the database, potentially leading to full system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL injection vulnerability can lead to the unauthorized disclosure of sensitive information, such as user credentials, financial records, and other confidential data stored within the MyT-PM database. Attackers may also be able to modify or delete data, leading to data integrity issues and potential disruption of business operations. This could result in financial losses, reputational damage, and legal repercussions for affected organizations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply patches or upgrade to a secure version of MyT-PM that addresses CVE-2019-25713.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to detect potentially malicious requests containing SQL injection attempts targeting the \u003ccode\u003e/charge/admin\u003c/code\u003e endpoint and the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent SQL injection vulnerabilities in MyT-PM and other web applications.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/charge/admin\u003c/code\u003e with unusual characters or SQL keywords in the \u003ccode\u003eCharge[group_total]\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-12T13:16:34Z","date_published":"2026-04-12T13:16:34Z","id":"/briefs/2026-04-mytpm-sqli/","summary":"MyT-PM 1.5.1 is vulnerable to SQL injection, allowing authenticated attackers to execute arbitrary SQL queries via the Charge[group_total] parameter.","title":"MyT-PM 1.5.1 SQL Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-mytpm-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2019-25713","version":"https://jsonfeed.org/version/1.1"}