{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2019-25699", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-05T15:36:33.509Z", "datePublished": "2026-04-12T12:28:49.056Z", "dateUpdated": "2026-04-13T18:06:18.270Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:49.056Z"}, "datePublic": "2019-01-28T00:00:00.000Z", "title": "Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter", "descriptions": [{"lang": "en", "value": "Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Newsbull", "product": "Newsbull Haber Script", "versions": [{"version": "1.0.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/46266", "name": "ExploitDB-46266", "tags": ["exploit"]}, {"url": "http://newsbull.org/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/gurkanuzunca/newsbull", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/newsbull-haber-script-authenticated-sql-injection-via-search-parameter"}], "credits": [{"lang": "en", "value": "Mehmet EMIROGLU", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25699", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:37:45.718911Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-13T18:06:18.270Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter", "credits": [{"lang": "en", "type": "finder", "value": "Mehmet EMIROGLU"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Newsbull", "product": "Newsbull Haber Script", "versions": [{"status": "affected", "version": "1.0.0"}]}], "datePublic": "2019-01-28T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/46266", "name": "ExploitDB-46266", "tags": ["exploit"]}, {"url": "http://newsbull.org/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://github.com/gurkanuzunca/newsbull", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/newsbull-haber-script-authenticated-sql-injection-via-search-parameter", "name": "VulnCheck Advisory: Newsbull Haber Script 1.0.0 Authenticated SQL Injection via search parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-12T12:28:49.056Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2019-25699", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-13T17:37:45.718911Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-04-13T17:58:09.779Z"}}]}, "cveMetadata": {"cveId": "CVE-2019-25699", "state": "PUBLISHED", "dateUpdated": "2026-04-12T12:28:49.056Z", "dateReserved": "2026-04-05T15:36:33.509Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-12T12:28:49.056Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:gurkanuzunca:newsbull:1.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "1438CDB6-DA70-4E75-A6C4-CB4DC0B6945B", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Newsbull Haber Script 1.0.0 contains multiple SQL injection vulnerabilities in the search parameter that allow authenticated attackers to extract database information through time-based, blind, and boolean-based injection techniques. Attackers can inject malicious SQL code through the search parameter in endpoints like /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs to manipulate database queries and retrieve sensitive data."}], "id": "CVE-2019-25699", "lastModified": "2026-04-17T16:43:44.013", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-12T13:16:32.770", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Broken Link"], "url": "http://newsbull.org/"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://github.com/gurkanuzunca/newsbull"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/46266"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/newsbull-haber-script-authenticated-sql-injection-via-search-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "1.0.0"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Newsbull Haber Script", "source": "cna", "vendor": "Newsbull"}, "product": "newsbull_haber_script", "vendor": "newsbull"}], "analysis": {"en": {"generated_at": "2026-04-12T13:52:05.831976+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011released patch or upgrade to a fixed version of Newsbull Haber Script.", "If a patch is not yet available, disable or remove the exposed search endpoints from the administration area.", "Configure the database user account used by the application to have the minimum privileges required for normal operation, limiting the scope of data that can be accessed.", "Audit the application code to ensure that all user input is sanitized and database queries are built using parameterized statements to eliminate injection vectors.", "Deploy a Web Application Firewall (WAF) to detect and block suspicious SQL patterns targeting the search parameter.", "Monitor web server and database logs for anomalous query patterns or repeated failed login attempts that could indicate exploitation attempts."], "summary": {"action": "Apply Patch", "impact": "Data exfiltration via SQL Injection"}, "threat_synthesis": {"affected_systems": "The affected product is Newsbull Haber Script version\u00a01.0.0, as disclosed by the CNA. No other releases or versions are documented as vulnerable, so systems running this exact version are at risk. Protection of the system is contingent upon mitigating or patching this specific edition.", "description_and_impact": "This vulnerability is an authenticated SQL injection flaw that resides in the search parameter of Newsbull Haber Script 1.0.0. Once an attacker has a legitimate user session, they can inject malicious SQL into endpoint searches such as /admin/comment/records, /admin/category/records, /admin/news/records, and /admin/menu/childs. The injected payloads can be delivered using time\u2011based, blind, or boolean\u2011based techniques to read sensitive data from the database. The primary consequence is the uncontrolled disclosure of stored information such as user credentials, configuration data, or any other data the database contains. No direct privilege escalation or arbitrary code execution is implied.", "risk_and_exploitability": "The CVSS score of 7.1 marks this issue as high severity. EPSS information is unavailable and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires authenticated access to the web application; once authenticated, an attacker can send crafted search queries that manipulate SQL statements and retrieve confidential data. The weakness does not enable remote code execution or system compromise beyond data exfiltration, but the high potential impact warrants prompt remediation."}}}}, "created": "2026-04-13T12:41:17.474235+00:00", "updated": "2026-04-13T12:55:56.170398+00:00", "vendors": ["newsbull", "newsbull$PRODUCT$newsbull_haber_script"]}