CVE-2018-25419: SQL Injection in AiOPMSD 1.0.0 Genre Parameter
AiOPMSD Final 1.0.0 suffers from a critical SQL injection flaw in its genre parameter. An attacker can craft a malicious URL to genre.php and extract sensitive data—usernames, database names, version information—without needing to authenticate. The vulnerability is straightforward to exploit over the network and poses a real risk to confidentiality of stored data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-30 / 2026-06-17
NVD description (verbatim)
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the genre parameter. Attackers can send GET requests to genre.php with crafted SQL payloads in the genre parameter to extract sensitive database information including usernames, database names, and version details.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This is a classic SQL injection vulnerability (CWE-89) in the genre parameter of genre.php. The application fails to properly sanitize or parameterize user input before incorporating it into SQL queries. An unauthenticated attacker can inject arbitrary SQL syntax via GET requests, allowing them to read sensitive database contents. The CVSS 3.1 score of 8.2 (HIGH) reflects high confidentiality impact, low integrity impact, and no availability impact—the attacker can extract data and potentially modify records, but cannot crash the service.
Business impact
Compromise of this application exposes user credentials and database metadata, creating a direct path to lateral movement and further compromise of backend systems. Attackers can enumerate user accounts and system versions to inform secondary attacks. For organizations relying on AiOPMSD, this vulnerability creates immediate risk of unauthorized data access and potential regulatory exposure if the database contains sensitive personal or financial records.
Affected systems
AiOPMSD Final version 1.0.0 is affected. Any instance of this product publicly or internally accessible via HTTP/HTTPS is at risk. The vulnerability does not require authentication, so all network-reachable deployments are vulnerable regardless of user account settings.
Exploitability
Exploitability is very high. The attack vector is network-based, requires no special access (PR:N), no user interaction (UI:N), and is trivial to execute—a simple GET request with a SQL payload in the genre parameter is sufficient. Security tooling and threat actors would identify and weaponize this quickly if they become aware of the version's exposure.
Remediation
Upgrade AiOPMSD to a version beyond 1.0.0 that includes SQL injection fixes. If upgrading is not immediately possible, restrict network access to genre.php via firewall rules or web application firewall (WAF) policies that strip or reject SQL injection patterns in query parameters. Implement input validation to reject genre values containing SQL metacharacters.
Patch guidance
Consult the AiOPMSD vendor advisory for patched versions. Verify the specific version number in the advisory before deployment. If no patch is available from the vendor, consider discontinuing use of version 1.0.0 or implementing compensating controls (WAF rules, access restrictions) until a patch is released.
Detection guidance
Monitor web server logs for suspicious genre parameter values containing SQL keywords (UNION, SELECT, OR, DROP, etc.) or encoded equivalents sent to genre.php. Look for repeated requests from single IPs probing the parameter. Implement WAF rules to detect and block common SQL injection patterns. Query database logs for unusual queries executed by the application user account that differ from normal operations.
Why prioritize this
This vulnerability merits immediate attention. The HIGH CVSS score, unauthenticated attack vector, and trivial exploitation barrier make it an attractive target. The lack of KEV status does not diminish urgency—early discovery and exploitation before patches are widely deployed is common in SQL injection scenarios. Any internet-facing instance should be remediated or protected within days.
Risk score, explained
CVSS 3.1/8.2 reflects a combination of high confidentiality impact (attacker can read entire database contents), low integrity impact (SQL injection can modify data, but the vector does not assume the attacker will do so), no availability impact, and a network attack vector requiring no authentication or user interaction. The score appropriately categorizes this as HIGH severity and a priority remediation target.
Frequently asked questions
Can an attacker modify or delete data with this vulnerability?
Yes, SQL injection typically allows both read and write operations. While the CVSS vector does not assume modification, an attacker could craft UPDATE or DELETE queries via the genre parameter to alter or remove database records. The vulnerability should be treated as enabling both confidentiality and integrity compromise.
Is this vulnerability exploitable if the application is behind a firewall or not publicly accessible?
Yes. Any network path to genre.php—internal, DMZ, or external—exposes the vulnerability. If an attacker gains access to the internal network via other means, they can still leverage this SQL injection. Internal segmentation and access controls are important but do not eliminate the risk.
What if we cannot upgrade AiOPMSD immediately?
Implement a WAF rule that blocks requests to genre.php containing SQL keywords or common injection patterns. Restrict network access to the application to only trusted IP ranges. Monitor logs aggressively for exploitation attempts. These are temporary measures and should not delay patching; they are band-aids until a proper fix is deployed.
How can we verify if our instance has been exploited?
Review web server access logs and database query logs for anomalies dating back several weeks. Look for genre parameter values with SQL syntax, or database queries that appear out of the ordinary for normal application operation. Conduct a database integrity audit to detect unauthorized modifications. If compromise is suspected, assume full database exfiltration and treat credentials as compromised.
This analysis is based on the CVE description and CVSS vector provided as of the publication and modification dates listed. Actual exploitability and impact may vary depending on network configuration, firewall policies, and application deployment context. Organizations should verify patch availability and compatibility with their infrastructure before applying updates. No guarantee is made regarding the completeness or accuracy of vendor advisory information; always consult official vendor sources for definitive guidance on patched versions and remediation steps. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access