Search criteria
1 vulnerability by Thrive
CVE-2019-25325 (GCVE-0-2019-25325)
Vulnerability from cvelistv5 – Published: 2026-02-12 22:48 – Updated: 2026-02-13 15:41
VLAI?
Title
Thrive Smart Home 1.1 - 'Smart Home' Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Summary
Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the 'user' POST parameter. Attackers can inject malicious SQL code like ' or 1=1# to manipulate login queries and gain unauthorized access to the application.
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Thrive | Smart Home |
Affected:
1.1
|
Credits
LiquidWorm as Gjoko Krstic of Zero Science Lab
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2019-25325",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-13T15:41:47.575307Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-13T15:41:54.941Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Smart Home",
"vendor": "Thrive",
"versions": [
{
"status": "affected",
"version": "1.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "LiquidWorm as Gjoko Krstic of Zero Science Lab"
}
],
"datePublic": "2019-12-30T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Thrive Smart Home 1.1 contains an SQL injection vulnerability in the checklogin.php endpoint that allows unauthenticated attackers to bypass authentication by manipulating the \u0027user\u0027 POST parameter. Attackers can inject malicious SQL code like \u0027 or 1=1# to manipulate login queries and gain unauthorized access to the application."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-12T22:48:37.427Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-47814",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/47814"
},
{
"name": "Zero Science Lab Security Advisory ZSL-2019-5554",
"tags": [
"technical-description",
"exploit"
],
"url": "https://www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5554.php"
},
{
"name": "Packet Storm Entry",
"tags": [
"exploit"
],
"url": "https://packetstorm.news/files/id/155797"
},
{
"name": "CXSecurity Entry",
"tags": [
"exploit"
],
"url": "https://cxsecurity.com/issue/WLB-2020010019"
},
{
"name": "IBM X-Force Exchange Entry",
"tags": [
"third-party-advisory"
],
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/173728"
},
{
"name": "VulnCheck Advisory: Thrive Smart Home 1.1 - \u0027Smart Home\u0027 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/thrive-smart-home-smart-home-improper-limitation-o"
}
],
"title": "Thrive Smart Home 1.1 - \u0027Smart Home\u0027 Improper Limitation of a Pathname to a Restricted Directory (\u0027Path Traversal\u0027)",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2019-25325",
"datePublished": "2026-02-12T22:48:37.427Z",
"dateReserved": "2026-02-12T14:37:15.296Z",
"dateUpdated": "2026-02-13T15:41:54.941Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}