Description
Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. Attackers can send POST requests to the loginaction.php endpoint with crafted SQL payloads in the Email field to extract sensitive database information or bypass authentication.
Published: 2026-03-12
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection
Action: Patch
AI Analysis

Impact

Netartmedia PHP Business Directory 4.2 includes a scalar input flaw that allows an unauthenticated attacker to inject arbitrary SQL through the Email field in loginaction.php. This flaw, identified as CWE-89, can enable the attacker to read or manipulate database data, and potentially bypass authentication by altering the login query. The consequence is a compromise of database confidentiality and integrity, and could allow further escalation or unauthorized access to the application’s privileged functions.

Affected Systems

The vulnerability affects installations of Netartmedia PHP Business Directory version 4.2. The vendor CNA product line is listed as Phpbusinessdirectory:Netartmedia PHP Business Directory, with no additional sub‑version details provided. Any instance running this unpatched version is considered vulnerable.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity due to the potential for full data disclosure and authentication bypass. The EPSS score is below 1%, indicating a low probability of an immediate public exploit, but the risk remains significant. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires only an unauthenticated HTTP POST to loginaction.php with a crafted SQL payload in the Email field, and no additional conditions are required beyond network access to the application.

Generated by OpenCVE AI on March 18, 2026 at 15:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor’s website or repository for an official patch or upgrade for Netartmedia PHP Business Directory 4.2
  • Apply the vendor‑supplied patch or upgrade to a non‑vulnerable version as soon as it becomes available
  • If no patch is available, restrict external access to loginaction.php to trusted IP ranges and enforce strict email format validation on the Email field
  • Configure the application database user with the least privileges necessary, and consider refactoring the login logic to use prepared statements or stored procedures

Generated by OpenCVE AI on March 18, 2026 at 15:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 13 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Netartmedia
Netartmedia php Business Directory
Vendors & Products Netartmedia
Netartmedia php Business Directory

Thu, 12 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. Attackers can send POST requests to the loginaction.php endpoint with crafted SQL payloads in the Email field to extract sensitive database information or bypass authentication.
Title Netartmedia PHP Business Directory 4.2 SQL Injection via loginaction.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Netartmedia Php Business Directory
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-12T16:32:07.694Z

Reserved: 2026-03-12T14:24:15.913Z

Link: CVE-2019-25533

cve-icon Vulnrichment

Updated: 2026-03-12T16:31:53.637Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-12T16:16:07.383

Modified: 2026-03-12T21:07:53.427

Link: CVE-2019-25533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:49:12Z

Weaknesses