CVE-2019-25505

HIGH

Tradebox 5.4 - Authenticated SQL Injection via Symbol Parameter

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25505. PoCs published by Abdullah Çelebi.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in Tradebox 5.4 via the 'symbol' POST parameter. It includes multiple SQLi techniques (boolean-based blind, time-based blind, error-based, and union-based) to extract data or delay responses.

Description

Tradebox 5.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the symbol parameter. Attackers can send POST requests to the monthly_deposit endpoint with malicious symbol values using boolean-based blind, time-based blind, error-based, or union-based SQL injection techniques to extract sensitive database information.

Exploits (1)

exploitdb WORKING POC

by Abdullah Çelebi · textwebappsphp

https://www.exploit-db.com/exploits/46671

View Code ZIP pw:eip

The exploit demonstrates SQL injection vulnerabilities in Tradebox 5.4 via the 'symbol' POST parameter. It includes multiple SQLi techniques (boolean-based blind, time-based blind, error-based, and union-based) to extract data or delay responses.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Tradebox - CryptoCurrency Buy Sell and Trading Software v5.4

Auth required

Prerequisites: valid user session (csrf_test_name parameter suggests CSRF token may be required)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Mar 05, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit, Third Party Advisory exploit

https://www.exploit-db.com/exploits/46671

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/tradebox-sql-injection-via-symbol-parameter

Scores

CVSS v3 7.1

EPSS 0.0029

EPSS Percentile 20.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

bdtask/tradebox 5.4

Bdtask/Tradebox 5.4

Published Mar 04, 2026

Tracked Since Mar 05, 2026