CVE-2019-25728

Care2x 2.7 Hospital Information System SQL Injection via ck_config

CVSS 8.8 HIGHEPSS 0.3%CWE-89

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject malicious SQL through the ck_config cookie in multiple endpoints including login.php, indexframe.php, and various module files to extract sensitive database information without authentication.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Affected products

care2x · Care2x

public PoCs found — 1

cve_referencewww.exploit-db.com/exploits/46268unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://www.exploit-db.com/exploits/46268 https://www.vulncheck.com/advisories/care2x-hospital-information-system-sql-injection-via-ck-config