CVE-2018-25406 eNdonesia Portal 8.7 SQL Injection Vulnerability
eNdonesia Portal version 8.7 contains multiple SQL injection flaws that allow attackers without authentication to run arbitrary database commands. By inserting malicious SQL code into specific URL parameters—artid, cid, did, contid, and aboutid—across five different modules (publisher, diskusi, galeri, content, and about), attackers can extract sensitive information like database credentials and system version details. This is a network-based attack requiring no user interaction or prior access.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2018-25406 is a pre-authentication SQL injection vulnerability in eNdonesia Portal 8.7. The mod.php entry point fails to sanitize user input across multiple parameters in five application modules. The vulnerability allows injection of arbitrary SQL through artid, cid, did, contid, and aboutid parameters. Attack vectors span the publisher, diskusi (discussion), galeri (gallery), content, and about modules. Successful exploitation enables information disclosure (database credentials, version information, schema enumeration) and potential data modification. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) reflects network accessibility, low attack complexity, no privilege or user interaction requirements, and high confidentiality impact with limited integrity risk.
Business impact
An attacker exploiting this vulnerability can extract database credentials and user information, potentially leading to unauthorized access to backend systems, data theft, and lateral movement within the infrastructure. The ability to modify data (indicated by the integrity component) creates risk of defacement or business logic manipulation. Organizations running eNdonesia Portal 8.7 face exposure of sensitive administrative and user data without any authentication barrier. This is particularly critical if the portal stores customer, financial, or personal information subject to regulatory compliance requirements.
Affected systems
eNdonesia Portal version 8.7 is explicitly vulnerable. The vulnerability exists in mod.php and affects five distinct modules: publisher, diskusi, galeri, content, and about. Any deployment of version 8.7 accessible over a network is at risk. Confirm your environment's eNdonesia Portal version and verify whether you use any of the affected modules. Other versions have not been explicitly confirmed as vulnerable or patched in available advisories; check the vendor's security guidance for version-specific status.
Exploitability
Exploitability is high. The attack requires only network access and a web browser or basic HTTP client—no authentication, no user interaction, and no special conditions are needed. SQL injection attacks against mod.php parameters can be crafted trivially by an attacker with basic SQL knowledge. The vulnerability is immediately actionable over the internet. However, actual impact depends on the database configuration, permissions, and what information is exposed; in some cases, damage may be limited to reading non-sensitive data, while in others, attackers may escalate to full database compromise.
Remediation
Immediate action: If you operate eNdonesia Portal 8.7, verify your exposure by determining if mod.php and the affected modules are internet-facing. Isolate or restrict access to the portal using network controls (firewall rules, VPN requirements) until patching is complete. Contact the eNdonesia vendor for a security patch or upgrade guidance; verify the recommended version addresses this vulnerability before deployment. Apply input validation and parameterized queries (prepared statements) if you maintain or customize the code. Consider implementing a Web Application Firewall (WAF) with SQL injection detection rules as a temporary mitigation while awaiting patches.
Patch guidance
Consult the eNdonesia vendor's official security advisory for patched versions and release schedules. Upgrade eNdonesia Portal beyond version 8.7 once a patched release is confirmed available. Prior to deployment, test the upgrade in a non-production environment to ensure compatibility with your customizations and dependent systems. Verify patch completeness by reviewing the vendor's advisory and confirmation that all five affected modules are addressed. If no official patch is available, request a timeline from the vendor or evaluate migration to an alternative solution.
Detection guidance
Monitor web server and application logs for SQL injection patterns in mod.php access, particularly suspicious characters (single quotes, double dashes, UNION, SELECT, etc.) in the artid, cid, did, contid, and aboutid parameters. Implement network-based intrusion detection signatures for SQL injection against these specific parameters. Database activity monitoring can reveal unusual queries, unauthorized schema access, or privilege escalations correlating with the attack window. Check for unexpected database user account creation or modifications in audit logs. Correlation of web server 200 or 500 responses with simultaneous database anomalies may indicate exploitation attempts.
Why prioritize this
This vulnerability scores HIGH (CVSS 8.2) due to unauthenticated network accessibility, no user interaction requirement, and direct information disclosure capability. The exposure of database credentials amplifies downstream risk significantly. If eNdonesia Portal 8.7 is internet-facing and handles sensitive data, prioritize patching within your change management window. Environments where the portal is internal-only or carries non-sensitive data may accept slightly lower urgency, but remediation should still be scheduled promptly given the trivial attack complexity.
Risk score, explained
CVSS 3.1 score of 8.2 (HIGH) is driven by: Attack Vector Network (AV:N) — exploitable remotely with no special access; Attack Complexity Low (AC:L) — standard SQL injection techniques suffice; Privileges Required None (PR:N) — unauthenticated attackers can exploit; User Interaction None (UI:N) — no social engineering or user action needed; Scope Unchanged (S:U) — impact is limited to the vulnerable system; Confidentiality High (C:H) — database credentials and sensitive data are exposed; Integrity Low (I:L) — attackers can modify some data but impact is limited; Availability None (A:N) — no denial-of-service component. The combination of easy, unauthenticated exploitation with high data disclosure risk justifies the HIGH classification.
Frequently asked questions
How do I know if my eNdonesia Portal installation is running version 8.7?
Check the application's version string in its admin panel, configuration files, or version.php if exposed. Common locations include the footer, About section, or system information area. You can also inspect HTTP response headers or check the vendor's documentation for your deployment date and release notes. If unsure, assume a potentially vulnerable version until confirmed otherwise.
Can this vulnerability be exploited if the portal is behind a firewall or only accessible internally?
Network isolation significantly reduces risk but does not eliminate it. Insider threats, compromised internal systems, or lateral movement from other breaches remain concerns. However, internet-facing deployments are at immediate risk. Prioritize based on your exposure: external access = urgent; internal-only = important but lower priority while you pursue patching.
What is the difference between this vulnerability and other SQL injections I may have heard about?
SQL injection is a broad class of vulnerability. This one is notable for affecting multiple entry points (five parameters) across five modules in a single application, and for requiring no authentication. The high confidentiality impact stems from the ability to extract database credentials directly, which can enable further attacks on other systems or data stores.
If I cannot patch immediately, what are my options?
Apply network-based controls: restrict access to mod.php via firewall rules, require VPN authentication, or place the application behind a WAF with SQL injection filtering. Disable unused modules if they are not required for business operations. Increase monitoring and alerting on suspicious queries. These are temporary measures; patch as soon as a tested, compatible version is available from the vendor.
This analysis is based on the CVE record and publicly available information as of the publication date. Vendor details, patch timelines, and affected product versions are subject to change; verify directly with the eNdonesia vendor for the most current security guidance. No exploit code or proof-of-concept instructions are provided. This content is for informational and defensive purposes only. Unauthorized access to computer systems is illegal; security research and testing must be conducted only on systems you own or have explicit permission to test. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access