CVE-2019-25325

Name of the Vulnerable Software and Affected Versions Thrive Smart Home version 1.1

Description The application contains an SQL injection issue in the checklogin.php endpoint. Unauthenticated attackers can bypass authentication by manipulating the user POST parameter. Attackers can inject malicious SQL code, such as ' or 1=1#, to manipulate login queries and gain unauthorized access to the application.

Recommendations Update to a newer version that contains a fix for this vulnerability. As a temporary workaround, consider restricting access to the checklogin.php endpoint until a patch is available. Sanitize the user POST parameter to prevent SQL injection attacks.