HIGH 8.2

CVE-2018-25403: SQL Injection in Open ISES Project 3.30A - Unauthenticated Remote Data Extraction

A SQL injection vulnerability exists in Open ISES Project version 3.30A that allows attackers without authentication to inject malicious database commands through a web parameter. By crafting specially designed requests to the city_graph.php file, attackers can extract sensitive information from the underlying database, including schema details and other stored data. The vulnerability requires no user interaction and can be exploited over the network.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-29 / 2026-06-17

NVD description (verbatim)

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

Open ISES Project 3.30A is vulnerable to SQL injection in the city_graph.php endpoint via the p1 parameter (CWE-89). The application fails to sanitize or parameterize user input before incorporating it into SQL queries, enabling unauthenticated remote attackers to execute arbitrary SQL statements. This occurs in a GET request context, meaning the attack is trivial to replicate and chain with other exploitation techniques. The primary impact is confidentiality breach through unauthorized database access; limited integrity and availability risk based on the CVSS vector assessment.

Business impact

Organizations deploying Open ISES Project 3.30A face direct exposure of sensitive database contents without requiring authentication. If this application handles customer records, financial data, or proprietary information, attackers can systematically extract and exfiltrate that data. The high CVSS score of 8.2 reflects the severity: confidentiality is fully compromised while the attacker gains reconnaissance of database structure, enabling follow-on attacks. Remediation delay increases the window for data theft and regulatory notification obligations under data protection frameworks.

Affected systems

Open ISES Project version 3.30A is affected. Organizations using this version in production, particularly in internet-facing deployments or internal networks accessible to untrusted users, should prioritize assessment. Verify your installed version and deployment context (network accessibility, data sensitivity, authentication mechanisms layered above the application).

Exploitability

Exploitability is high. The attack vector is network-based, requires no privileges, no user interaction, and no complex configuration. Attackers can craft HTTP GET requests with SQL payloads in the p1 parameter and immediately retrieve database information. No authentication bypass or client-side complexity is required. The simplicity of GET-based SQL injection makes this readily exploitable by low-skill attackers using automated scanning tools.

Remediation

Upgrade Open ISES Project to a patched version released after this vulnerability disclosure. Consult the Open ISES Project advisory to confirm the minimum version that resolves CVE-2018-25403. If immediate patching is not possible, implement network-level access controls to restrict external access to city_graph.php, apply input validation at a WAF layer, and enforce database accounts with minimal privilege. Monitor database query logs for suspicious SQL patterns.

Patch guidance

Obtain and apply the security update from the Open ISES Project vendor. Verify against the official advisory that your target version explicitly addresses SQL injection in the p1 parameter of city_graph.php. Test the patched version in a staging environment to confirm functionality before production deployment. Given the critical nature of SQL injection, patching should be scheduled urgently rather than deferred.

Detection guidance

Monitor HTTP request logs for GET requests to city_graph.php containing SQL keywords (UNION, SELECT, WHERE, EXEC) or encoding patterns (hex, URL-encoded) in the p1 parameter. Database query logs should be reviewed for unusual queries from the application's account, particularly those querying system tables or multiple databases. Network intrusion detection systems can flag requests matching SQL injection signatures in the p1 parameter. Conduct database access reviews to identify if unauthorized schema enumeration or data dumps occurred post-disclosure.

Why prioritize this

This vulnerability scores HIGH (CVSS 8.2) with critical exploitability factors: unauthenticated, network-accessible, trivial to exploit, and directly impacts data confidentiality. The simplicity of SQL injection and lack of authentication requirement make this an attractive target for opportunistic attackers scanning for vulnerable instances. Given the public disclosure date, exploitation is already plausible. Organizations should treat this as a near-critical remediation priority.

Risk score, explained

CVSS 3.1 score of 8.2 (HIGH) is driven by: network-based attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), high confidentiality impact (C:H), limited integrity impact (I:L), and no availability impact (A:N). The high confidentiality rating reflects direct unauthorized database read access. The score does not account for business context—organizations storing highly sensitive data should consider this functionally critical regardless of the numeric score.

Frequently asked questions

Can an attacker modify or delete data with this vulnerability?

The CVSS vector indicates limited integrity impact (I:L), meaning some modification may be possible but is not the primary attack path. SQL injection vulnerabilities often permit UPDATE or DELETE operations depending on database permissions and query construction. Assume the worst case: verify your database account permissions and assume an attacker could potentially modify data if the application account has write access.

Is authentication required to exploit this vulnerability?

No. The vulnerability is explicitly unauthenticated (PR:N in the CVSS vector). An attacker needs no login credentials, session token, or valid user account. Any network-connected attacker can send a malicious GET request to city_graph.php without prior access.

Does this vulnerability appear in the CISA KEV catalog?

No, this vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities catalog. However, the lack of KEV status does not mean exploitation is not occurring—it indicates CISA has not yet confirmed active in-the-wild exploitation. Given the simplicity and public disclosure, assume active exploitation is likely or imminent.

What is the minimum fix I should apply?

Upgrade to the patched version specified in the Open ISES Project security advisory for CVE-2018-25403. Verify the patch directly from the vendor's official release notes or security bulletin. Do not rely on version numbers inferred from this summary; consult the authoritative advisory.

This analysis is provided for informational and defensive purposes. The CVE details, CVSS score, and affected versions are sourced from authoritative vulnerability databases. Organizations are responsible for verifying patch availability, compatibility, and applicability to their specific deployments through official vendor advisories. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this content. Always consult the vendor's official security bulletin before deploying patches to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).