CVE-2019-25552

CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an application crash.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://cewe-photoworld.com/	Product
https://www.exploit-db.com/exploits/46861	Exploit VDB Entry
https://www.vulncheck.com/advisories/cewe-photo-show-denial-of-service-via-password-field	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:cewe:photo_show:6.4.3:*:*:*:*:*:*:*

History

10 Apr 2026, 01:20

Type	Values Removed	Values Added
CPE		cpe:2.3:a:cewe:photo_show:6.4.3:::::::*
References	~~() https://cewe-photoworld.com/ -~~	() https://cewe-photoworld.com/ - Product
References	~~() https://www.exploit-db.com/exploits/46861 -~~	() https://www.exploit-db.com/exploits/46861 - Exploit, VDB Entry
References	~~() https://www.vulncheck.com/advisories/cewe-photo-show-denial-of-service-via-password-field -~~	() https://www.vulncheck.com/advisories/cewe-photo-show-denial-of-service-via-password-field - Third Party Advisory
Summary		(es) CEWE PHOTO SHOW 6.4.3 contiene una vulnerabilidad de denegación de servicio que permite a los atacantes bloquear la aplicación al enviar un búfer excesivamente largo al campo de contraseña. Los atacantes pueden pegar una cadena larga de caracteres repetidos en la entrada de contraseña durante el proceso de carga para provocar un bloqueo de la aplicación.
First Time		Cewe photo Show Cewe

21 Mar 2026, 13:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-21 13:16

Updated : 2026-04-10 01:20

NVD link : CVE-2019-25552

Mitre link : CVE-2019-25552

CVE.ORG link : CVE-2019-25552

JSON object : View

Products Affected

cewe

photo_show

CWE

CWE-836

Use of Password Hash Instead of Password for Authentication

{"id": "CVE-2019-25552", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-21T13:16:17.507", "references": [{"url": "https://cewe-photoworld.com/", "tags": ["Product"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.exploit-db.com/exploits/46861", "tags": ["Exploit", "VDB Entry"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/cewe-photo-show-denial-of-service-via-password-field", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-836"}]}], "descriptions": [{"lang": "en", "value": "CEWE PHOTO SHOW 6.4.3 contains a denial of service vulnerability that allows attackers to crash the application by submitting an excessively long buffer to the password field. Attackers can paste a large string of repeated characters into the password input during the upload process to trigger an application crash."}, {"lang": "es", "value": "CEWE PHOTO SHOW 6.4.3 contiene una vulnerabilidad de denegaci\u00f3n de servicio que permite a los atacantes bloquear la aplicaci\u00f3n al enviar un b\u00fafer excesivamente largo al campo de contrase\u00f1a. Los atacantes pueden pegar una cadena larga de caracteres repetidos en la entrada de contrase\u00f1a durante el proceso de carga para provocar un bloqueo de la aplicaci\u00f3n."}], "lastModified": "2026-04-10T01:20:49.400", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:cewe:photo_show:6.4.3:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9DF9234C-8F74-4815-A17E-4A711B213FE4"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}