CVE-2019-25728

HIGH

Care2x 2.7 Hospital Information System SQL Injection via ck_config

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2019-25728. PoCs published by Carlos Avila.

AI-analyzed exploit summary This is a technical writeup detailing multiple SQL injection vulnerabilities in Care2x 2.7, specifically targeting the 'ck_config' cookie parameter across various endpoints. The author provides a proof of concept using sqlmap to demonstrate exploitation and database enumeration.

Description

Care2x 2.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter. Attackers can inject malicious SQL through the ck_config cookie in multiple endpoints including login.php, indexframe.php, and various module files to extract sensitive database information without authentication.

Exploits (1)

exploitdb WRITEUP

by Carlos Avila · textwebappsphp

https://www.exploit-db.com/exploits/46268

View Code ZIP pw:eip

This is a technical writeup detailing multiple SQL injection vulnerabilities in Care2x 2.7, specifically targeting the 'ck_config' cookie parameter across various endpoints. The author provides a proof of concept using sqlmap to demonstrate exploitation and database enumeration.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Care2x 2.7

No auth needed

Prerequisites: Access to the target application · Ability to send crafted HTTP requests

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 04, 2026 Full analysis →

References (2)

Core 2

Core References

Exploit exploit

ExploitDB-46268

https://www.exploit-db.com/exploits/46268

Third Party Advisory third-party-advisory

VulnCheck Advisory: Care2x 2.7 Hospital Information System SQL Injection via ck_config

https://www.vulncheck.com/advisories/care2x-hospital-information-system-sql-injection-via-ck-config

Scores

CVSS v3 8.2

EPSS 0.0026

EPSS Percentile 17.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-89

Status published

Products (1)

care2x/Care2x 2.7

Published Jun 04, 2026

Tracked Since Jun 04, 2026