CVE-2018-25405: eNdonesia Portal 8.7 SQL Injection – Unauthenticated Database Access
eNdonesia Portal version 8.7 is vulnerable to multiple SQL injection flaws that allow unauthenticated attackers to extract sensitive data directly from the database. An attacker can manipulate specific web parameters—artid, cid, did, contid, and aboutid in the mod.php file—to inject malicious SQL commands. This bypasses normal authentication and gives direct access to usernames, database credentials, and system version information without requiring any valid user account.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25405 comprises multiple SQL injection vulnerabilities (CWE-89) in eNdonesia Portal 8.7's mod.php endpoint. The vulnerability exists in five distinct parameters: artid, cid, did, contid, and aboutid, all of which fail to properly sanitize or parameterize user input before incorporation into SQL queries. An unauthenticated network attacker can craft requests containing SQL metacharacters and subqueries to execute arbitrary database operations. The attack vector is network-accessible (AV:N), requires no special conditions (AC:L), no privileges (PR:N), and no user interaction (UI:N), resulting in confidentiality compromise through direct information disclosure.
Business impact
Organizations using eNdonesia Portal 8.7 face immediate risk of unauthorized database access and credential exposure. Attackers can extract user accounts, authentication details, and potentially administrative credentials from the database without triggering typical access logs or requiring system compromise. This exposure undermines trust in user data handling, creates regulatory compliance issues under data protection frameworks, and may enable lateral movement or privilege escalation attacks if harvested credentials are reused across internal systems.
Affected systems
eNdonesia Portal version 8.7 is confirmed vulnerable. Administrators should verify whether they are operating this specific version or any related installations where mod.php processes user-supplied parameters. The publicly available vendor and product information is limited; consult your deployment documentation and the eNdonesia vendor advisory to confirm your installation scope and any other potentially affected versions.
Exploitability
This vulnerability has a high exploitability profile. No authentication is required; the attack is entirely remote and network-based with no prerequisites or user interaction. SQL injection attacks are well-understood and tooling is widely available. The five vulnerable parameters provide multiple ingress points, increasing the likelihood that attackers will successfully craft working payloads. The confidentiality impact is high (direct database access) though integrity and availability impacts are lower under the CVSS vector. This combination makes the vulnerability attractive to reconnaissance-phase attacks.
Remediation
Immediate action is required. Verify your eNdonesia Portal version and confirm whether you are running 8.7. Contact the eNdonesia vendor immediately to obtain and deploy a patched version. If a patch is not yet available, implement temporary mitigations: restrict network access to mod.php via web application firewall (WAF) rules, disable the affected endpoint if not operationally critical, or segment the portal from systems containing sensitive data. Review database access logs for evidence of SQL injection attempts and monitor for unauthorized data extraction activity.
Patch guidance
Contact eNdonesia vendor support for patched versions and security advisories specific to version 8.7. Vendors typically release fixed versions that implement parameterized query construction or input validation. Verify patch release notes to confirm that all five vulnerable parameters (artid, cid, did, contid, aboutid) are addressed. Apply patches in a test environment first to confirm compatibility with your deployment before production rollout. Document the patch version number and deployment date for audit and compliance records.
Detection guidance
Monitor web server access logs for suspicious patterns in mod.php requests containing SQL metacharacters (single quotes, semicolons, SQL keywords like UNION, SELECT, OR in parameter values). Deploy WAF rules to detect and block requests with encoded SQL injection payloads. Use database query logging to identify unusual SELECT or information_schema queries originating from the web application user. Alert on any attempt to access system tables or tables outside the application's normal data scope. Implement network segmentation and monitor database connections from the application tier for anomalies.
Why prioritize this
This vulnerability merits immediate attention due to the combination of high CVSS score (8.2), unauthenticated attack vector, and direct access to sensitive database information. The lack of KEV listing does not reduce urgency—it reflects publication status, not threat level. Organizations should treat this as a critical priority for patching or mitigation given the ease of exploitation and the sensitivity of data at risk.
Risk score, explained
The CVSS 3.1 score of 8.2 (HIGH) reflects a network-accessible, unauthenticated SQL injection with high confidentiality impact. The attack complexity is low (AC:L), indicating that no special conditions or timing is required. The scope is unchanged (S:U), meaning the vulnerability does not affect resources beyond the vulnerable component. The high confidentiality rating (C:H) acknowledges that attackers can read the entire database; the low integrity rating (I:L) and no availability impact (A:N) reflect that SQL injection here is limited to data extraction rather than modification or service disruption. The overall score prioritizes this as a critical data disclosure risk.
Frequently asked questions
Can this vulnerability be exploited without network access to the eNdonesia Portal?
No. The vulnerability requires network-level access to the web server hosting mod.php. However, if the portal is exposed to the Internet, it can be exploited remotely by any attacker. If it is behind a firewall, internal network access is sufficient.
What is the difference between this vulnerability and typical SQL injection flaws?
The key distinction is the multiplicity of vulnerable parameters and the unauthenticated exposure. With five separate injection points and no authentication requirement, attackers have multiple pathways to compromise the database. This breadth increases the likelihood of successful exploitation.
Will a WAF rule alone protect us until we patch?
A WAF can significantly reduce risk by blocking requests with obvious SQL injection signatures. However, WAF rules are not a substitute for patching. Sophisticated attackers may craft payloads that evade WAF detection. WAF deployment should be considered a temporary mitigation while you source and plan the patch application.
Is there any indication that this vulnerability is being actively exploited in the wild?
The vulnerability is not currently listed in the CISA KEV catalog, which typically reflects public active exploitation. However, the absence of KEV listing does not mean the vulnerability is not being exploited—it may indicate that CISA has not yet determined active use. Treat this as a priority regardless of KEV status given the ease of exploitation.
This analysis is provided for informational purposes to assist security leaders in risk assessment and remediation planning. It is not a substitute for vendor advisories or detailed technical assessment specific to your deployment. Verify all remediation steps, patch versions, and compatibility with your environment before applying changes. SEC.co does not provide exploitation guidance or weaponized code. Consult your IT team, vendor support, and applicable regulatory frameworks when determining remediation priority and compliance obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access