Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
9 vulnerabilities by Doditsolutions
CVE-2019-25494 (GCVE-0-2019-25494)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel
Summary
Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46616 | exploit |
| https://www.doditsolutions.com/airbnb-clone-script/ | product |
| https://www.vulncheck.com/advisories/homey-bnb-sq… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Doditsolutions | Homey BNB (Airbnb Clone Script) |
Affected:
V4
|
Date Public
2019-03-28 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25494",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:24:33.822475Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:25:29.418Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Homey BNB (Airbnb Clone Script)",
"vendor": "Doditsolutions",
"versions": [
{
"status": "affected",
"version": "V4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet \u00dcmit BAYRAM"
}
],
"datePublic": "2019-03-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like \u0027=\u0027 \u0027or\u0027 in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:43.332Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46616",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46616"
},
{
"name": "Homey BNB (Airbnb Clone Script) - Doditsolutions",
"tags": [
"product"
],
"url": "https://www.doditsolutions.com/airbnb-clone-script/"
},
{
"name": "VulnCheck Advisory: Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/homey-bnb-sql-injection-authentication-bypass-via-admin-panel"
}
],
"title": "Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25494",
"datePublished": "2026-02-27T17:23:36.185Z",
"dateReserved": "2026-02-27T16:34:00.472Z",
"dateUpdated": "2026-04-07T14:04:43.332Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25493 (GCVE-0-2019-25493)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
Homey BNB V4 SQL Injection via getrecord.php
Summary
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46616 | exploit |
| https://www.doditsolutions.com/airbnb-clone-script/ | product |
| https://www.vulncheck.com/advisories/homey-bnb-sq… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Doditsolutions | Homey BNB (Airbnb Clone Script) |
Affected:
V4
|
Date Public
2019-03-28 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25493",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:23:59.240010Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:24:09.868Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Homey BNB (Airbnb Clone Script)",
"vendor": "Doditsolutions",
"versions": [
{
"status": "affected",
"version": "V4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet \u00dcmit BAYRAM"
}
],
"datePublic": "2019-03-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the \u0027val\u0027 parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious \u0027val\u0027 values to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:42.678Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46616",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46616"
},
{
"name": "Homey BNB (Airbnb Clone Script) - Doditsolutions",
"tags": [
"product"
],
"url": "https://www.doditsolutions.com/airbnb-clone-script/"
},
{
"name": "VulnCheck Advisory: Homey BNB V4 SQL Injection via getrecord.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-getrecordphp"
}
],
"title": "Homey BNB V4 SQL Injection via getrecord.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25493",
"datePublished": "2026-02-27T17:23:35.222Z",
"dateReserved": "2026-02-27T16:33:52.976Z",
"dateUpdated": "2026-04-07T14:04:42.678Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25492 (GCVE-0-2019-25492)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
Homey BNB V4 SQL Injection via getcmsdata.php
Summary
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46616 | exploit |
| https://www.doditsolutions.com/airbnb-clone-script/ | product |
| https://www.vulncheck.com/advisories/homey-bnb-sq… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Doditsolutions | Homey BNB (Airbnb Clone Script) |
Affected:
V4
|
Date Public
2019-03-28 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25492",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:22:54.769478Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:23:16.032Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Homey BNB (Airbnb Clone Script)",
"vendor": "Doditsolutions",
"versions": [
{
"status": "affected",
"version": "V4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet \u00dcmit BAYRAM"
}
],
"datePublic": "2019-03-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the \u0027pt\u0027 parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious \u0027pt\u0027 values to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:41.977Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46616",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46616"
},
{
"name": "Homey BNB (Airbnb Clone Script) - Doditsolutions",
"tags": [
"product"
],
"url": "https://www.doditsolutions.com/airbnb-clone-script/"
},
{
"name": "VulnCheck Advisory: Homey BNB V4 SQL Injection via getcmsdata.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-getcmsdataphp"
}
],
"title": "Homey BNB V4 SQL Injection via getcmsdata.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25492",
"datePublished": "2026-02-27T17:23:34.010Z",
"dateReserved": "2026-02-27T16:33:45.375Z",
"dateUpdated": "2026-04-07T14:04:41.977Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25491 (GCVE-0-2019-25491)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
Homey BNB V4 SQL Injection via cms_getpagetitle.php
Summary
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46616 | exploit |
| https://www.doditsolutions.com/airbnb-clone-script/ | product |
| https://www.vulncheck.com/advisories/homey-bnb-sq… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Doditsolutions | Homey BNB (Airbnb Clone Script) |
Affected:
V4
|
Date Public
2019-03-28 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25491",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:31:26.083849Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:31:40.556Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Homey BNB (Airbnb Clone Script)",
"vendor": "Doditsolutions",
"versions": [
{
"status": "affected",
"version": "V4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet \u00dcmit BAYRAM"
}
],
"datePublic": "2019-03-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:41.216Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46616",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46616"
},
{
"name": "Homey BNB (Airbnb Clone Script) - Doditsolutions",
"tags": [
"product"
],
"url": "https://www.doditsolutions.com/airbnb-clone-script/"
},
{
"name": "VulnCheck Advisory: Homey BNB V4 SQL Injection via cms_getpagetitle.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-cmsgetpagetitlephp"
}
],
"title": "Homey BNB V4 SQL Injection via cms_getpagetitle.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25491",
"datePublished": "2026-02-27T17:23:33.151Z",
"dateReserved": "2026-02-27T16:33:37.406Z",
"dateUpdated": "2026-04-07T14:04:41.216Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25490 (GCVE-0-2019-25490)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
Homey BNB V4 SQL Injection via admin edit.php
Summary
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46616 | exploit |
| https://www.doditsolutions.com/airbnb-clone-script/ | product |
| https://www.vulncheck.com/advisories/homey-bnb-sq… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Doditsolutions | Homey BNB (Airbnb Clone Script) |
Affected:
V4
|
Date Public
2019-03-28 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25490",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:30:50.356605Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:31:02.347Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Homey BNB (Airbnb Clone Script)",
"vendor": "Doditsolutions",
"versions": [
{
"status": "affected",
"version": "V4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet \u00dcmit BAYRAM"
}
],
"datePublic": "2019-03-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the \u0027id\u0027 parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:40.470Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46616",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46616"
},
{
"name": "Homey BNB (Airbnb Clone Script) - Doditsolutions",
"tags": [
"product"
],
"url": "https://www.doditsolutions.com/airbnb-clone-script/"
},
{
"name": "VulnCheck Advisory: Homey BNB V4 SQL Injection via admin edit.php",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-admin-editphp"
}
],
"title": "Homey BNB V4 SQL Injection via admin edit.php",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25490",
"datePublished": "2026-02-27T17:23:32.329Z",
"dateReserved": "2026-02-27T16:33:29.715Z",
"dateUpdated": "2026-04-07T14:04:40.470Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2019-25489 (GCVE-0-2019-25489)
Vulnerability from cvelistv5 – Published: 2026-02-27 17:23 – Updated: 2026-04-07 14:04
VLAI
Title
Homey BNB V4 SQL Injection via ajax_refresh_subtotal
Summary
Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service.
Severity
SSVC
Exploitation: poc
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/46616 | exploit |
| https://www.doditsolutions.com/airbnb-clone-script/ | product |
| https://www.vulncheck.com/advisories/homey-bnb-sq… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Doditsolutions | Homey BNB (Airbnb Clone Script) |
Affected:
V4
|
Date Public
2019-03-28 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25489",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T18:28:20.456944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-27T18:28:30.334Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Homey BNB (Airbnb Clone Script)",
"vendor": "Doditsolutions",
"versions": [
{
"status": "affected",
"version": "V4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ahmet \u00dcmit BAYRAM"
}
],
"datePublic": "2019-03-28T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-07T14:04:39.827Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-46616",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/46616"
},
{
"name": "Homey BNB (Airbnb Clone Script) - Doditsolutions",
"tags": [
"product"
],
"url": "https://www.doditsolutions.com/airbnb-clone-script/"
},
{
"name": "VulnCheck Advisory: Homey BNB V4 SQL Injection via ajax_refresh_subtotal",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/homey-bnb-sql-injection-via-ajaxrefreshsubtotal"
}
],
"title": "Homey BNB V4 SQL Injection via ajax_refresh_subtotal",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25489",
"datePublished": "2026-02-27T17:23:31.447Z",
"dateReserved": "2026-02-27T16:33:21.104Z",
"dateUpdated": "2026-04-07T14:04:39.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2017-17830 (GCVE-0-2017-17830)
Vulnerability from cvelistv5 – Published: 2017-12-21 05:00 – Updated: 2024-09-16 16:53
VLAI
Summary
Bus Booking Script has CSRF via admin/new_master.php.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:48.913Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bus Booking Script has CSRF via admin/new_master.php."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T05:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17830",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bus Booking Script has CSRF via admin/new_master.php."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md",
"refsource": "MISC",
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17830",
"datePublished": "2017-12-21T05:00:00.000Z",
"dateReserved": "2017-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-16T16:53:31.207Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-17828 (GCVE-0-2017-17828)
Vulnerability from cvelistv5 – Published: 2017-12-21 05:00 – Updated: 2024-09-17 04:20
VLAI
Summary
Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:48.285Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T05:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17828",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bus Booking Script has XSS via the results.php datepicker parameter or the admin/new_master.php spemail parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md",
"refsource": "MISC",
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17828",
"datePublished": "2017-12-21T05:00:00.000Z",
"dateReserved": "2017-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T04:20:15.446Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2017-17829 (GCVE-0-2017-17829)
Vulnerability from cvelistv5 – Published: 2017-12-21 05:00 – Updated: 2024-09-17 01:31
VLAI
Summary
Bus Booking Script has SQL Injection via the admin/view_seatseller.php sp_id parameter or the admin/view_member.php memid parameter.
Severity
No CVSS data available.
CWE
- n/a
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/d4wner/Vulnerabilities-Report/… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-05T21:06:48.286Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Bus Booking Script has SQL Injection via the admin/view_seatseller.php sp_id parameter or the admin/view_member.php memid parameter."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2017-12-21T05:00:00.000Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
],
"x_legacyV4Record": {
"CVE_data_meta": {
"ASSIGNER": "cve@mitre.org",
"ID": "CVE-2017-17829",
"STATE": "PUBLIC"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "n/a",
"version": {
"version_data": [
{
"version_value": "n/a"
}
]
}
}
]
},
"vendor_name": "n/a"
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Bus Booking Script has SQL Injection via the admin/view_seatseller.php sp_id parameter or the admin/view_member.php memid parameter."
}
]
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "n/a"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md",
"refsource": "MISC",
"url": "https://github.com/d4wner/Vulnerabilities-Report/blob/master/Bus-Booking-Script.md"
}
]
}
}
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2017-17829",
"datePublished": "2017-12-21T05:00:00.000Z",
"dateReserved": "2017-12-20T00:00:00.000Z",
"dateUpdated": "2024-09-17T01:31:00.612Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}