HIGH 8.2

CVE-2018-25407: eNdonesia Portal 8.7 SQL Injection Vulnerability – Critical Unauthenticated Database Access Risk

eNdonesia Portal version 8.7 contains multiple SQL injection flaws in its mod.php file that allow attackers to inject malicious SQL commands without authentication. By crafting specially formed requests targeting parameters like artid, cid, did, contid, and aboutid across various portal modules (publisher, diskusi, galeri, content, about), an attacker can extract sensitive database information such as usernames, database names, and version details. No user interaction or authentication is required to exploit this vulnerability.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-05-30 / 2026-06-17

NVD description (verbatim)

eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a classic SQL injection flaw (CWE-89) affecting eNdonesia Portal 8.7's mod.php script. Multiple parameters—artid, cid, did, contid, and aboutid—fail to properly sanitize user input before incorporating it into SQL queries. The affected modules span publisher, diskusi, galeri, content, and about functionality. The lack of input validation or parameterized queries allows direct SQL command injection, enabling unauthorized database access and information disclosure. The CVSS 3.1 vector (8.2/HIGH) reflects the network-accessible nature, low attack complexity, and significant confidentiality impact, though integrity and availability impacts are limited.

Business impact

Exploitation exposes critical database assets, including user credentials, database structure, and version information that can inform secondary attacks. For portals managing member data, content, or administrative information, this represents a direct threat to data confidentiality and a potential stepping stone to further compromise. If eNdonesia Portal instances hold personally identifiable information (PII), breaches carry regulatory and reputational consequences. The unauthenticated, remotely exploitable nature makes this a high-priority threat regardless of deployment size.

Affected systems

eNdonesia Portal version 8.7 is confirmed vulnerable. Versions before 8.7 and after 8.7 should be assessed; patch availability and version scope require vendor confirmation. Organizations running eNdonesia Portal deployments, particularly in production environments handling sensitive data or user accounts, are at direct risk.

Exploitability

Exploitability is straightforward: the vulnerability requires no authentication, no user interaction, and minimal technical complexity. A remote attacker can craft HTTP requests with injected SQL syntax in vulnerable parameters to retrieve data. The attack surface is broad—five parameters across five modules provide multiple entry points. Public awareness of SQL injection techniques and availability of automated scanning tools means this vulnerability poses an immediate, practical threat.

Remediation

Immediate action is required: apply patches or upgrades provided by the eNdonesia Portal vendor, prioritizing any version that addresses SQL injection across mod.php parameters. If patches are unavailable, implement strict input validation, use prepared statements or parameterized queries for all database operations, and apply Web Application Firewall (WAF) rules to block SQL injection payloads. Conduct a database audit to identify whether unauthorized access has occurred post-deployment.

Patch guidance

Contact the eNdonesia Portal vendor or check their security advisory for version 8.7 patch availability. Verify patch version numbers and applicability against your specific deployment. Test patches in a non-production environment before rolling out organization-wide. If your portal is behind a WAF, update rules to detect and block SQL injection attempts while patch testing occurs. Document all patch application and database access logs from the vulnerability discovery date onward.

Detection guidance

Monitor mod.php access logs and Web Application Firewall (WAF) logs for SQL injection signatures—look for common payloads like single quotes, UNION, SELECT, and boolean operators in artid, cid, did, contid, and aboutid parameters. Enable database query logging and audit logs to detect unusual SELECT, INSERT, UPDATE, or DELETE statements, especially those accessing system tables or user credential tables. Perform vulnerability scans using SAST or DAST tools configured to detect SQL injection. Review user access patterns and failed login attempts to identify potential post-exploitation reconnaissance.

Why prioritize this

This vulnerability merits immediate remediation due to its HIGH severity (CVSS 8.2), unauthenticated remote exploitability, and direct impact on data confidentiality. The broad attack surface (five parameters, five modules) and simplicity of exploitation mean this is actively exploitable by opportunistic and sophisticated attackers alike. Any eNdonesia Portal instance exposed to untrusted networks should be treated as a critical patch priority.

Risk score, explained

The CVSS 3.1 score of 8.2 (HIGH) reflects an attack vector that is network-accessible (AV:N), requires low or no special conditions (AC:L), needs no privileges (PR:N), and requires no user interaction (UI:N). The impact scope is unchanged (S:U). Confidentiality is highly compromised (C:H)—database contents can be fully extracted. Integrity impact is low (I:L)—attackers can modify data but the primary threat is read access. Availability is not impacted (A:N). The combination of easy exploitation and significant data exposure justifies the HIGH severity.

Frequently asked questions

Can this vulnerability be exploited without internet access to the server?

No. The vulnerability is network-accessible (AV:N), meaning the attacker must be able to send HTTP requests to the mod.php endpoint. However, if your eNdonesia Portal is exposed to the internet or untrusted networks, it is exploitable remotely. Internal-only deployments behind firewalls that restrict access are at lower immediate risk, but should still be patched given the ease of exploitation.

Does the attacker need a valid user account to exploit this?

No. One of the critical aspects of this vulnerability is that it requires no authentication (PR:N). An unauthenticated attacker can craft requests to the vulnerable parameters and inject SQL queries without logging in, making the attack surface extremely broad.

What information can an attacker extract?

According to the vulnerability description, attackers can extract database information including usernames, database names, and version details. Depending on database permissions and the scope of the injected query, attackers may also access other tables, records, and sensitive data stored in the portal's database. A complete database dump is possible with persistent SQL injection exploitation.

Is there a publicly available exploit for this vulnerability?

The vulnerability is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, which typically tracks vulnerabilities with active real-world exploitation. However, SQL injection is a well-understood attack class, and the simplicity of this flaw means exploitation is trivial for any attacker with basic SQL knowledge. Assume this vulnerability will be exploited if left unpatched.

This analysis is based on publicly available vulnerability data as of the modification date (2026-06-17) and is provided for informational purposes. Patch version numbers, vendor advisory links, and specific affected versions beyond 8.7 should be independently verified against official vendor documentation. Organizations should conduct their own risk assessment and testing in their specific environments. SEC.co does not warrant the accuracy or completeness of this intelligence and assumes no liability for actions taken in reliance on this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).