Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
FreeSMS 2.1.2: Unauthenticated Password Bypass through SQL Injection
CVE-2019-25506
Summary
The password input field in FreeSMS 2.1.2 can be manipulated by attackers to bypass authentication and log in as any registered user. This allows them to change the password of any user, including administrators. To fix this, update to a secure version of FreeSMS or apply a patch to the affected login endpoint.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| freesms_project | freesms | <= 2.1.2 | – |
Original title
FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the l...
Original description
FreeSMS 2.1.2 contains a boolean-based blind SQL injection vulnerability in the password parameter that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login endpoint. Attackers can exploit the vulnerable password parameter in requests to /pages/crc_handler.php?method=login to authenticate as any known user and subsequently modify their password via the profile update function.
nvd CVSS3.1
8.2
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 4 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026