CVE-2019-25678

HIGH

C4G BLIS 3.4 SQL Injection via users_select.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25678. PoCs published by Carlos Avila.

AI-analyzed exploit summary This exploit demonstrates SQL injection in C4G Basic Laboratory Information System (BLIS) 3.4 via the 'site' parameter in users_select.php. It uses sqlmap to extract database names, confirming the vulnerability.

Description

C4G Basic Laboratory Information System 3.4 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the site parameter. Attackers can send GET requests to the users_select.php endpoint with crafted SQL payloads to extract sensitive database information including patient records and system credentials.

Exploits (1)

exploitdb WORKING POC

by Carlos Avila · textwebappsphp

https://www.exploit-db.com/exploits/46438

View Code ZIP pw:eip

This exploit demonstrates SQL injection in C4G Basic Laboratory Information System (BLIS) 3.4 via the 'site' parameter in users_select.php. It uses sqlmap to extract database names, confirming the vulnerability.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: C4G Basic Laboratory Information System v3.4

No auth needed

Prerequisites: Network access to the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Apr 07, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-46438

https://www.exploit-db.com/exploits/46438

Third Party Advisory third-party-advisory

VulnCheck Advisory: C4G BLIS 3.4 SQL Injection via users_select.php

https://www.vulncheck.com/advisories/c4g-blis-sql-injection-via-users-select-php

Scores

CVSS v3 8.2

EPSS 0.0027

EPSS Percentile 18.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-306 CWE-89

Status published

Products (2)

C4G/Basic Laboratory Information System 3.4

gatech/computing_for_good\'s_basic_laboratory_information_system < 3.4

Published Apr 05, 2026

Tracked Since Apr 06, 2026