← back
CVE-2019-25506highCWE-89

FreeSMS 2.1.2 Authentication Bypass via SQL Injection

21Vexday Risk Score

No sign of exploitation. No public exploitation artifact known so far.

ssvc Trackcvss 8.8epss 0.5%
exploitation probability
0.5%top 63% of all CVEs
observed exploitation
nono source reports it
FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Freesms · FreeSMS