CVE-2019-25438

HIGH

LabCollector 5.423 - Unauthenticated SQL Injection via login.php or retrieve_password.php Parameters

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25438. PoCs published by Carlos Avila.

AI-analyzed exploit summary This is a technical writeup detailing SQL injection vulnerabilities in LabCollector 5.423, specifically in the 'login' and 'user_name' parameters. It includes proof-of-concept HTTP requests and references to sqlmap for exploitation.

Description

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.

Exploits (1)

exploitdb WRITEUP

by Carlos Avila · textwebappsphp

https://www.exploit-db.com/exploits/47460

View Code ZIP pw:eip

This is a technical writeup detailing SQL injection vulnerabilities in LabCollector 5.423, specifically in the 'login' and 'user_name' parameters. It includes proof-of-concept HTTP requests and references to sqlmap for exploitation.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: LabCollector (Laboratory Information System) 5.423

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK

T1189 - Drive-by Compromise T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 21, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/47460

Various Sources product

https://labcollector.com/

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/labcollector-sql-injection-via-loginphp

Scores

CVSS v3 7.5

EPSS 0.0048

EPSS Percentile 37.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

agilebio/labcollector 5.423

Labcollector/LabCollector 5.423

Published Feb 20, 2026

Tracked Since Feb 21, 2026