CVE-2019-25488

Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into the 'tur', 'id', and 'ozellikdil' parameters of the admin/index.php endpoint to extract sensitive database information or cause denial of service.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.exploit-db.com/exploits/46614	Exploit VDB Entry
https://www.vulncheck.com/advisories/jettweb-hazir-rent-a-car-scripti-v4-sql-injection-via-admin	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jettweb:php_ready_rent_a_car_site_script:4:*:*:*:*:*:*:*

History

17 Mar 2026, 20:09

Type	Values Removed	Values Added
CPE		cpe:2.3:a:jettweb:php_ready_rent_a_car_site_script:4:::::::*
References	~~() https://www.exploit-db.com/exploits/46614 -~~	() https://www.exploit-db.com/exploits/46614 - Exploit, VDB Entry
References	~~() https://www.vulncheck.com/advisories/jettweb-hazir-rent-a-car-scripti-v4-sql-injection-via-admin -~~	() https://www.vulncheck.com/advisories/jettweb-hazir-rent-a-car-scripti-v4-sql-injection-via-admin - Third Party Advisory
First Time		Jettweb Jettweb php Ready Rent A Car Site Script
Summary		(es) Jettweb Hazir Rent A Car Scripti V4 contiene múltiples vulnerabilidades de inyección SQL en el panel de administración que permiten a atacantes no autenticados manipular consultas de base de datos a través de parámetros GET. Los atacantes pueden inyectar código SQL en los parámetros 'tur', 'id' y 'ozellikdil' del endpoint admin/index.php para extraer información sensible de la base de datos o causar denegación de servicio.

12 Mar 2026, 16:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 16:16

Updated : 2026-03-17 20:09

NVD link : CVE-2019-25488

Mitre link : CVE-2019-25488

CVE.ORG link : CVE-2019-25488

JSON object : View

Products Affected

jettweb

php_ready_rent_a_car_site_script

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

{"id": "CVE-2019-25488", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 4.2, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-12T16:16:02.623", "references": [{"url": "https://www.exploit-db.com/exploits/46614", "tags": ["Exploit", "VDB Entry"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/jettweb-hazir-rent-a-car-scripti-v4-sql-injection-via-admin", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-89"}]}], "descriptions": [{"lang": "en", "value": "Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into the 'tur', 'id', and 'ozellikdil' parameters of the admin/index.php endpoint to extract sensitive database information or cause denial of service."}, {"lang": "es", "value": "Jettweb Hazir Rent A Car Scripti V4 contiene m\u00faltiples vulnerabilidades de inyecci\u00f3n SQL en el panel de administraci\u00f3n que permiten a atacantes no autenticados manipular consultas de base de datos a trav\u00e9s de par\u00e1metros GET. Los atacantes pueden inyectar c\u00f3digo SQL en los par\u00e1metros 'tur', 'id' y 'ozellikdil' del endpoint admin/index.php para extraer informaci\u00f3n sensible de la base de datos o causar denegaci\u00f3n de servicio."}], "lastModified": "2026-03-17T20:09:32.330", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jettweb:php_ready_rent_a_car_site_script:4:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "B06040D7-0F8D-4205-87A5-EB9CCDF240F1"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}