cbcvebase.
CVE-2019-16894
published 2019-09-26

CVE-2019-16894: download.php in inoERP 4.15 allows SQL injection through insecure deserialization.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.02%
85.8th percentile
download.php in inoERP 4.15 allows SQL injection through insecure deserialization.

Affected

1 ranges
VendorProductVersion rangeFixed in
inoideasinoerp

Detection & IOCsextracted from sources · hover to see the quote

path/download.php
urlhttp://<host>/download.php
otherdata_type=sql_query
otherczoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw==
commandselect * from ino_user;
commandselect @@version;
  • Monitor HTTP POST requests to /download.php with a 'data_type' parameter set to 'sql_query', which is the attack-specific trigger for the insecure deserialization/SQL injection path.
  • Flag known probe payload czoxNzoic2VsZWN0IEBAdmVyc2lvbjsiOw== appearing in the POST body 'data' parameter as a fingerprint for CVE-2019-16894 exploitation attempts.
  • SQL queries targeting the 'ino_user' table (e.g., 'select * from ino_user;') in deserialized payloads indicate credential harvesting attempts against inoERP.
  • ·The exploit requires PHP to be installed on the attacker's machine to generate the serialized+base64 payload via the shell command. Without PHP, the attacker must pre-compute payloads manually (a static probe payload is provided in the exploit).
  • ·The vulnerable endpoint is specifically /download.php in inoERP version 4.15; other versions are not confirmed affected by this source.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.