YouPHPTube <= 7.7 (getChat.json.php) SQL Injection Vulnerability

• Affected Versions:

Version 7.7 and prior versions.

• Vulnerability Description:

User input passed through the “live_stream_code” POST parameter to /plugin/LiveChat/getChat.json.php is not properly sanitized before being used to construct a SQL query. This can be exploited by malicious users to e.g. read sensitive data from the database through in-band SQL Injection attacks. Successful exploitation of this vulnerability requires the “Live Chat” plugin to be enabled (disabled by default).

• Solution:

Upgrade to version 7.8 or later.

• Disclosure Timeline:

[31/10/2019] – Issue reported to

[02/11/2019] – CVE number assigned

[02/12/2019] – Versions 7.8 released

[04/12/2019] – Publication of this advisory

• CVE Reference:

The Common Vulnerabilities and Exposures project ( has assigned the name CVE-2019-18662 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano.