HIGH 8.2

CVE-2019-25726: SQL Injection in All in One Video Downloader 1.2 – HIGH Severity Vulnerability

All in One Video Downloader version 1.2 contains an SQL injection flaw that lets attackers query the application's database without authentication. By crafting malicious requests to the admin interface, adversaries can extract sensitive information like user credentials and database structure details. The vulnerability requires no special access or user interaction—attackers can exploit it remotely over the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

All in One Video Downloader 1.2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the id parameter. Attackers can send requests to the admin interface with UNION-based SQL injection payloads in the id parameter to extract sensitive database information including usernames, databases, and version details.

5 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2019-25726 is a UNION-based SQL injection vulnerability in the admin interface of All in One Video Downloader 1.2. The flaw exists in the id parameter, which fails to properly sanitize user input before incorporating it into SQL queries. Attackers can inject arbitrary SQL syntax to manipulate query logic, retrieve unauthorized data, or potentially modify database contents. The attack vector is network-based, requires no authentication, and has low attack complexity, making it trivially exploitable by automated scanners.

Business impact

This vulnerability exposes the application's entire database to unauthorized access, creating immediate risk of credential theft, user data exfiltration, and potential compliance violations (GDPR, HIPAA, PCI-DSS depending on stored data). If the application stores payment information, personal identifiers, or other sensitive user records, attackers can harvest and monetize that data. The reputational damage from a confirmed breach could exceed the technical remediation cost.

Affected systems

All in One Video Downloader version 1.2 is confirmed vulnerable. Organizations running this software should assume they are at risk. Patch availability and version compatibility should be verified directly with the vendor. If your organization has this application deployed—even on internal or staging systems—it should be treated as a priority remediation target.

Exploitability

Exploitation is straightforward and requires only HTTP client tools (curl, Burp Suite, or custom scripts). No authentication is needed, no user interaction is required, and the attack can be fully automated. Public awareness of the flaw may drive opportunistic scanning and exploitation attempts. The low barrier to entry means this vulnerability will likely see active exploitation if the affected software is internet-facing.

Remediation

Immediately upgrade All in One Video Downloader beyond version 1.2. Verify the patched version from the vendor's official advisory before deployment. If immediate patching is impossible, implement network segmentation to restrict access to the admin interface to trusted internal IPs only, and monitor database activity for suspicious queries. Additionally, run SQL injection detection and Web Application Firewall (WAF) rules to block common payloads until patching is complete.

Patch guidance

Contact the vendor or consult the official advisory to identify the patched version number and deployment method. Test the patch in a non-production environment first to confirm compatibility with your specific deployment. After patching, verify that the id parameter is now properly parameterized and that SQL injection payloads are rejected. Document the patch date and version for audit and compliance records.

Detection guidance

Monitor HTTP logs for requests to the admin interface containing SQL keywords (SELECT, UNION, WHERE, OR, AND) in the id parameter, especially those with unusual encodings or special characters. Enable database query logging to detect suspicious SELECT statements that retrieve multiple tables or extract system metadata. Deploy a WAF with SQL injection signatures to block malicious patterns before they reach the application. Query application logs for error messages indicating SQL syntax violations, which may signal active exploitation attempts.

Why prioritize this

This vulnerability scores 8.2 (HIGH) under CVSS 3.1 due to its high confidentiality impact, network-based attack vector, and complete lack of authentication requirements. While integrity impact is limited (attackers cannot easily modify data), the exposure of sensitive database contents poses immediate business and compliance risk. The ease of exploitation and remote nature elevate this above many other vulnerabilities and warrant urgent action.

Risk score, explained

The CVSS 3.1 score of 8.2 reflects: (1) Network attack vector—exploitable from anywhere without VPN or physical access; (2) No privileges required—unauthenticated exploitation; (3) No user interaction—fully automated attack; (4) High confidentiality impact—full database read access; (5) Low integrity impact—SQL injection can modify data but is not the primary threat vector; (6) No availability impact—DoS is not the primary concern. This combination places the vulnerability in the HIGH severity tier, demanding rapid remediation.

Frequently asked questions

Can this vulnerability be exploited if the admin interface is not internet-facing?

Yes. If an attacker gains internal network access (via phishing, VPN compromise, or lateral movement), they can still exploit this flaw. Network segmentation and strict access controls to the admin interface are essential even behind firewalls.

What data is at risk if this vulnerability is exploited?

Any data stored in the application's database is at risk, including user credentials, email addresses, personal information, and configuration data. The attacker can use UNION-based injection to query metadata tables and identify what databases and tables exist, then extract them selectively.

Is there a workaround if we cannot patch immediately?

Partial mitigation is possible: restrict admin interface access to specific IP ranges, implement WAF rules to block SQL injection patterns in the id parameter, and enable comprehensive database and application logging for forensic detection. These measures reduce risk but do not eliminate it—patching remains essential.

How can we tell if we have been exploited?

Review database query logs for SELECT statements referencing system metadata tables or multiple tables joined via UNION. Check HTTP access logs for requests to admin endpoints containing SQL keywords or unusual URL encoding. Enable query auditing and monitor for failed login attempts followed by successful data extraction queries.

This analysis is based on published CVE data as of the modification date provided. Patch availability, version numbers, and vendor-specific guidance should be verified against official vendor advisories before remediation. Organizations must conduct their own risk assessment and testing in their environment. This document does not constitute legal, compliance, or operational guidance and should be reviewed by qualified security and legal professionals before implementation. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).