← voltar
CVE-2019-25580

ownDMS 4.7 SQL Injection via pdfstream.php imagestream.php

CVSS 8.8 HIGHEPSS 0.3%CWE-434
Vexday Risk Score
21Baixo
Decisão SSVC (CISA)
Track
Sem sinal de exploração → monitorar
CVSS 8.8EPSS 0.3%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
21 mar 2026Publicada no NVD
Recomendação: Monitorar — sem sinal de exploração no momento.
ownDMS 4.7 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. Attackers can send GET requests to pdfstream.php, imagestream.php, or anyfilestream.php with crafted SQL payloads in the IMG parameter to extract sensitive database information including version and database names.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Produtos afetados
Owndms · ownDMS