CVE-2019-25678

HIGH

C4G BLIS 3.4 SQL Injection via users_select.php

Title source: cna

Description

C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the site parameter. Attackers can send GET requests to the users_select.php endpoint with crafted SQL payloads to extract sensitive database information including patient records and system credentials.

Exploits (1)

exploitdb WORKING POC

by Carlos Avila · textwebappsphp

https://www.exploit-db.com/exploits/46438

View Code ZIP pw:eip

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-46438

https://www.exploit-db.com/exploits/46438

Third Party Advisory third-party-advisory

VulnCheck Advisory: C4G BLIS 3.4 SQL Injection via users_select.php

https://www.vulncheck.com/advisories/c4g-blis-sql-injection-via-users-select-php

Scores

CVSS v3 8.2

EPSS 0.0008

EPSS Percentile 22.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306 CWE-89

Status published

Products (2)

C4G/Basic Laboratory Information System 3.4

gatech/computing_for_good\'s_basic_laboratory_information_system < 3.4

Published Apr 05, 2026

Tracked Since Apr 06, 2026