CVE-2019-19245
published 2019-12-02CVE-2019-19245: NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are…
PriorityP266critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.94%
94.0th percentile
NAPC Xinet Elegant 6 Asset Library 6.1.655 allows Pre-Authentication SQL Injection via the /elegant6/login LoginForm[username] field when double quotes are used.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| napc | xinet_elegant_6_asset_library | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect unauthenticated POST requests to /elegant6/login containing double-quote characters in the LoginForm[username] parameter, which is the vulnerable injection point. ↗
- →Monitor POST bodies to /elegant6/login for the payload structure: LoginForm[password]=&LoginForm[rememberMe]=0&LoginForm[username]=<SQL>&yt0, which is the required parameter set for exploitation. ↗
- →Alert on HTTP responses from /elegant6/login containing the string 'CDbCommand', which indicates a SQL injection error is being leaked in the response body and confirms successful injection triggering. ↗
- →Flag GET requests to /elegant6/login where the response body contains the fingerprint string 'Elegant",appVersion:"6.1.655' as this is used by the exploit to confirm a vulnerable target before launching the injection. ↗
- →Detect rapid sequential POST requests to /elegant6/login (default 20 iterations with 0.3s sleep) from a single source IP, indicative of automated SQL LIMIT-clause enumeration used by the exploit. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://hyp3rlinx.altervista.orghttps://packetstormsecurity.com/files/155505/Xinet-Elegant-6-Asset-Library-Web-Interface-6.1.655-SQL-Injection.htmlhttp://hyp3rlinx.altervista.orghttp://seclists.org/fulldisclosure/2025/Feb/0https://packetstormsecurity.com/files/155505/Xinet-Elegant-6-Asset-Library-Web-Interface-6.1.655-SQL-Injection.html
2019-12-02
Published