9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-7726

GHSA ID

GHSA-q4qv-fmwc-qxpx

EPSS Score

0.72035%

CWE

CWE-89

Published

6/22/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2019-7726

CVE-2019-7726: SQL Injection in NukeViet

modules/banners/funcs/click.php in NukeViet before 4.3.04 has a SQL INSERT statement with raw header data from an HTTP request (e.g., Referer and User-Agent).

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2019-7726

GHSA ID

GHSA-q4qv-fmwc-qxpx

EPSS Score

0.72035%

CWE

CWE-89

Published

6/22/2021

Updated

2/1/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
nukeviet/nukeviet	composer	< 4.3.04	4.3.04

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from constructing SQL queries using untrusted HTTP header inputs (client_info['referer'], client_info['client_os']['name'], etc.) without escaping or prepared statements. The commit diff shows the fix added $db->quote() wrappers around these values, confirming they were previously vulnerable to SQL injection. The affected code handles banner click tracking where attacker-controlled headers are directly embedded in SQL syntax.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

mo*ul*s/**nn*rs/*un*s/*li*k.p*p in Nuk*Vi*t ***or* *.*.** **s * SQL INS*RT st*t*m*nt wit* r*w *****r **t* *rom *n *TTP r*qu*st (*.*., R***r*r *n* Us*r-***nt).

Reasoning

T** vuln*r**ility st*ms *rom *onstru*tin* SQL qu*ri*s usin* untrust** *TTP *****r inputs (*li*nt_in*o['r***r*r'], *li*nt_in*o['*li*nt_os']['n*m*'], *t*.) wit*out *s**pin* or pr*p*r** st*t*m*nts. T** *ommit *i** s*ows t** *ix ***** $**->quot*() wr*pp*

9.8

Basic Information

Concerned about an active attack path?

CVE-2019-7726: SQL Injection in NukeViet

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI