PatchSiren cyber security CVE debrief
CVE-2019-25728 care2x CVE debrief
CVE-2019-25728 is a HIGH severity vulnerability in Care2x 2.7, with a CVSS score of 8.8. The vulnerability allows unauthenticated attackers to execute arbitrary SQL commands by manipulating the ck_config cookie parameter in multiple endpoints, including login.php, indexframe.php, and various module files. This enables attackers to extract sensitive database information without authentication.
- Vendor
- care2x
- Product
- Unknown
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-04
- Original CVE updated
- 2026-06-04
- Advisory published
- 2026-06-04
- Advisory updated
- 2026-06-04
Who should care
Users of Care2x 2.7 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by multiple SQL injection vulnerabilities in Care2x 2.7, which can be exploited by manipulating the ck_config cookie parameter. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
HIGH
Recommended defensive actions
- Apply patches or updates to Care2x 2.7 to fix the SQL injection vulnerabilities.
- Restrict access to sensitive endpoints and parameters.
- Monitor for suspicious activity and implement additional security measures to prevent exploitation.
Evidence notes
The vulnerability is reported by [email protected] and is associated with CWE-89.
Official resources
CVE-2019-25728 was published on 2026-06-04T14:16:30.413Z and last modified on 2026-06-04T15:00:40.757Z.