CVE-2018-25402: SQL Injection in Open ISES Project 3.30A
Open ISES Project version 3.30A contains an SQL injection vulnerability accessible to unauthenticated attackers over the network. By crafting malicious SQL statements in the p1 parameter of GET requests to inc_types_graph.php, an attacker can query the underlying database directly, potentially exposing schema details, user records, and other sensitive stored data. The vulnerability requires no authentication or user interaction, making it relatively straightforward to exploit.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-29 / 2026-06-17
NVD description (verbatim)
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25402 is an SQL injection flaw (CWE-89) in Open ISES Project 3.30A affecting the inc_types_graph.php endpoint. The application fails to sanitize or parameterize the p1 parameter before incorporating it into SQL queries. Attackers can leverage this to execute arbitrary SQL commands via GET requests, allowing information disclosure and limited data modification. The CVSS 3.1 score of 8.2 (HIGH) reflects high confidentiality impact, low integrity impact, and no availability impact—consistent with an SQL injection that primarily enables data exfiltration rather than system disruption.
Business impact
Successful exploitation enables attackers to harvest sensitive business and customer data stored in the application's database without authentication. This includes exposure of schema structures, user accounts, credentials, and application-specific information. Such breaches can lead to regulatory compliance violations (GDPR, CCPA, HIPAA depending on data type), reputational damage, and downstream lateral attacks using extracted credentials. The vulnerability's ease of exploitation (no authentication required) amplifies the risk of opportunistic scanning and attack.
Affected systems
Open ISES Project version 3.30A is affected. Organizations running this version should immediately inventory instances in their environment. The vendor or project maintainer should be contacted to determine whether later versions contain fixes. Without explicit version information in the advisory, verify the exact version in your deployment to confirm exposure.
Exploitability
This vulnerability has high exploitability. The attack vector is network-based, requires no credentials, and involves no user interaction. Attackers can automate scanning and exploitation via simple HTTP GET requests. The barrier to entry is low—basic knowledge of SQL syntax and HTTP requests suffices. No authentication or privilege escalation is needed to trigger the flaw, making it attractive to both opportunistic and targeted adversaries.
Remediation
Immediately patch Open ISES Project to a version containing the SQL injection fix; consult the vendor advisory or release notes for the specific patched version number. If a patch is unavailable or cannot be deployed immediately, implement network controls to restrict access to the affected inc_types_graph.php endpoint via web application firewalls (WAF) or IP whitelisting. Additionally, conduct a database access audit and review logs for signs of exploitation or unauthorized queries.
Patch guidance
Obtain and deploy the latest patched version of Open ISES Project from the official project repository or vendor. Verify the fix in the release notes before deployment. Test the patch in a non-production environment to confirm functionality and compatibility. After deployment, validate that the p1 parameter is now safely handled through parameterized queries or input validation. Establish a patch management cycle to stay current with future security updates.
Detection guidance
Monitor access logs for GET requests to inc_types_graph.php with suspicious p1 parameter values, especially those containing SQL keywords (SELECT, UNION, DROP, INSERT, etc.) or special characters (single quotes, dashes, parentheses). Enable database query logging to detect anomalous SQL execution, including unusual SELECT statements targeting system tables or schema information. Implement intrusion detection signatures for common SQL injection payloads. Correlate web server logs with database logs to identify successful exploitation attempts.
Why prioritize this
This vulnerability merits urgent remediation. It is unauthenticated, network-accessible, and has straightforward exploitation mechanics. The HIGH CVSS score of 8.2 reflects substantial confidentiality impact. Although not yet listed in the CISA Known Exploited Vulnerabilities catalog, the simplicity and potential for data exfiltration makes it a priority target for threat actors. Organizations handling sensitive data should treat this as a critical finding.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) is driven by: Attack Vector (Network) = easy remote access; Attack Complexity (Low) = no special conditions required; Privileges Required (None) = no authentication; User Interaction (None) = automatic exploitation possible; Confidentiality Impact (High) = significant data exposure potential; Integrity Impact (Low) = limited ability to modify data; Availability Impact (None) = no denial-of-service component. The high confidentiality impact dominates the rating, reflecting the primary risk of database information disclosure.
Frequently asked questions
Can this vulnerability be exploited without network access to the application?
No. The vulnerability requires network access to the inc_types_graph.php endpoint. However, if the application is internet-facing or accessible from a compromised internal network, the risk is substantially elevated.
What data can an attacker extract using this SQL injection?
An attacker can execute arbitrary SQL queries, potentially extracting any data in the database—including user credentials, personal information, application configuration, and system metadata. The scope depends on the database permissions and content relevant to your deployment.
If we have Web Application Firewall (WAF) rules in place, does this protect us?
A well-configured WAF with SQL injection signatures can block many—but not all—attack attempts. A WAF is a temporary mitigation while you prepare a patch, but patching the application code is the definitive fix.
How do we know if we've been exploited?
Review web server and database access logs for unusual GET requests to inc_types_graph.php with suspicious p1 parameter values, and for unexpected database queries. Compare database query logs against normal baseline activity. Consider engaging a forensics firm if a breach is suspected.
This analysis is provided for informational purposes to assist security professionals in vulnerability assessment and remediation planning. The details are based on the CVE record and standard vulnerability analysis methodologies. Always verify vendor advisories, patch availability, and affected version numbers directly with the Open ISES Project maintainers or vendor. Security decisions should incorporate your organization's risk tolerance, asset criticality, and threat landscape. Consider engaging qualified security personnel for deployment and testing of patches in production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access