CVE-2019-25635 in Matrimony CMS
Summary
by MITRE • 03/24/2026
Zeeways Matrimony CMS contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through the profile_list endpoint. Attackers can inject SQL code via the up_cast, s_mother, and s_religion parameters to extract sensitive database information using time-based or error-based techniques.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 03/29/2026
The vulnerability identified as CVE-2019-25635 affects Zeeways Matrimony CMS, a web application designed for matrimonial services that has been found to contain multiple SQL injection flaws. This particular weakness manifests within the profile_list endpoint, which serves as a critical interface for users to browse and search through potential matches. The vulnerability represents a significant security risk as it allows unauthenticated attackers to manipulate database queries without requiring any valid credentials or session tokens, making the exploitation accessible to anyone who can access the application's web interface.
The technical flaw stems from inadequate input validation and sanitization within the application's backend processing of user-supplied parameters. Specifically, the up_cast, s_mother, and s_religion parameters are vulnerable to SQL injection attacks, as they are directly incorporated into database queries without proper escaping or parameterization. This vulnerability is particularly dangerous because it enables attackers to craft malicious SQL payloads that can be executed within the database context, potentially leading to unauthorized data access and manipulation. The exploitation techniques leverage time-based or error-based SQL injection methods, where attackers can infer database structure and contents by observing response times or error messages generated by the database system.
The operational impact of this vulnerability extends beyond simple data theft, as it can enable attackers to extract sensitive information including user credentials, personal details, and potentially system configuration data. The time-based SQL injection techniques allow for blind SQL injection attacks where attackers can determine database schema information through carefully constructed queries that cause the database to delay responses. Error-based injection methods provide more direct access to database contents by causing the system to return error messages containing the requested information. These vulnerabilities could lead to complete database compromise, user account takeover, and potential lateral movement within the application's infrastructure, as the database credentials and structure information could be leveraged to access additional systems or data sources.
Mitigation strategies for this vulnerability should focus on implementing proper input validation and parameterized queries throughout the application's codebase. The recommended approach involves adopting secure coding practices that prevent user input from being directly incorporated into SQL statements, instead utilizing prepared statements or parameterized queries as specified in the CWE-89 category. Organizations should implement comprehensive input sanitization measures and employ web application firewalls to detect and block malicious SQL injection attempts. Additionally, regular security assessments and code reviews should be conducted to identify similar vulnerabilities within the application's codebase. The ATT&CK framework categorizes this vulnerability under the T1190 technique for exploiting SQL injection vulnerabilities, emphasizing the need for robust database access controls and monitoring systems to detect unauthorized database access attempts. Regular updates and patches should be applied to ensure the CMS remains protected against known vulnerabilities, while also implementing proper database permissions and access controls to limit the potential damage from successful exploitation attempts.