← Volver a CVEs
CVE-2019-25506
HIGH8.2
Descripcion
FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.
Detalles CVE
Puntuacion CVSS v3.18.2
SeveridadHIGH
Vector CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Vector de ataqueNETWORK
ComplejidadLOW
Privilegios requeridosNONE
Interaccion usuarioNONE
Publicado3/4/2026
Ultima modificacion3/9/2026
Fuentenvd
Avistamientos honeypot0
Productos afectados
freesms_project:freesms
Debilidades (CWE)
CWE-89
Referencias
https://www.exploit-db.com/exploits/46658(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/freesms-authentication-bypass-via-sql-injection(disclosure@vulncheck.com)
Correlaciones IOC
Sin correlaciones registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.