CVE-2019-25580

Name of the Vulnerable Software and Affected Versions ownDMS version 4.7

Description An SQL injection allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the IMG parameter. This is achieved by sending GET requests to the endpoints 'pdfstream.php', 'imagestream.php', or 'anyfilestream.php' with crafted payloads in the IMG parameter to extract sensitive database information, such as the database names and version.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability. As a temporary workaround, restrict access to the endpoints 'pdfstream.php', 'imagestream.php', and 'anyfilestream.php' or avoid using the IMG parameter in these endpoints.