HIGH 8.2

CVE-2018-25428: Paroiciel 11.20 Unauthenticated SQL Injection Vulnerability

Paroiciel version 11.20 contains an unauthenticated SQL injection flaw in its trec.php endpoint. An attacker can craft malicious web requests to the tRecIdListe parameter, inject arbitrary SQL commands, and retrieve sensitive database contents like table and column names without needing valid credentials. This is a remote attack that requires no special privileges or user interaction.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.2 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

Paroiciel 11.20 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tRecIdListe parameter. Attackers can send GET requests to the trec.php endpoint with crafted SQL payloads to extract database information including table and column names.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25428 is a CWE-89 SQL injection vulnerability affecting Paroiciel 11.20. The vulnerability exists in the trec.php endpoint where the tRecIdListe parameter fails to properly sanitize or parameterize user input before incorporating it into SQL queries. An attacker can send GET requests with crafted SQL metacharacters and comment sequences to execute arbitrary SQL statements. The lack of input validation allows extraction of database schema information, user records, and potentially other sensitive data depending on database permissions and structure.

Business impact

Successful exploitation enables unauthorized database reconnaissance and data exfiltration. An attacker could identify sensitive table names, column definitions, and potentially extract credentials, personally identifiable information, or business-critical data without detection. The vulnerability requires no authentication, making it accessible to any network-connected attacker. Organizations running Paroiciel 11.20 face significant risk of data breach, compliance violations (GDPR, HIPAA, etc. if applicable data is exposed), and reputational harm.

Affected systems

Paroiciel version 11.20 is affected. Users should verify their installed version and confirm whether other minor versions near 11.20 are similarly vulnerable by consulting the vendor's security advisory. The vulnerability is accessible over the network from any unauthenticated source without requiring exploitation of additional weaknesses.

Exploitability

Exploitability is high. The vulnerability requires no authentication, no user interaction, and no special network access—only HTTP connectivity to the vulnerable endpoint. Attack complexity is low; a basic understanding of SQL syntax and web request construction suffices to craft functional payloads. Public proof-of-concept demonstrations may already be circulating, and automated scanning tools can detect the parameter injection point. Attackers can test for vulnerability presence with simple reconnaissance queries before launching data extraction campaigns.

Remediation

Upgrade Paroiciel to a patched version released by the vendor. Until patching is possible, implement network-level protections such as Web Application Firewall (WAF) rules that block SQL metacharacters in the tRecIdListe parameter, restrict access to trec.php to trusted IP ranges, and disable the endpoint if not operationally required. Apply input validation and parameterized query controls at the application level. Monitor database query logs for suspicious SQL patterns that may indicate exploitation attempts.

Patch guidance

Contact the Paroiciel vendor and review their security advisory for patched version availability and upgrade procedures. Verify that your current version number matches the vendor's list of affected releases. Test patches in a non-production environment before deployment. Given the high severity and unauthenticated nature of the flaw, prioritize patching within your change control process. If a vendor patch is unavailable, escalate to the vendor and evaluate whether the application should be taken offline pending a security fix.

Detection guidance

Monitor HTTP logs and WAF alerts for requests to trec.php containing SQL metacharacters or suspicious payloads in the tRecIdListe parameter (e.g., single quotes, UNION, SELECT, OR 1=1, comments like -- or /**/). Configure SIEM queries to flag database error messages or unexpected data volume in responses. Track database audit logs for unusual query patterns, schema enumeration attempts, or access to sensitive tables from the web application account. Implement baseline profiling of normal trec.php behavior to identify anomalies.

Why prioritize this

CVE-2018-25428 rates CVSS 8.2 (HIGH) due to unauthenticated remote access, high confidentiality impact (database disclosure), and low attack complexity. While integrity and availability impact are limited, the information leakage poses significant risk. This vulnerability should be treated as a critical remediation candidate for organizations running Paroiciel 11.20, particularly those handling regulated or sensitive data. The five-month gap between publication (June 2026) and modification suggests vendor activity; confirm patch availability before deprioritizing.

Risk score, explained

The CVSS 3.1 score of 8.2 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no authentication required (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), high confidentiality impact from database exposure (C:H), low integrity impact from limited write capability (I:L), and no availability impact (A:N). The score appropriately captures the severity of unauthenticated data exfiltration as a substantial threat, though it does not reflect business context like data sensitivity or regulatory exposure—factors organizations should layer into their own risk assessment.

Frequently asked questions

Does this vulnerability allow an attacker to modify or delete data?

No. While the SQL injection enables arbitrary query execution, the vulnerability is primarily leveraged for information disclosure—extracting database structure and content. The CVSS score reflects low integrity impact (I:L), meaning modification is technically possible but less likely or impactful in typical exploitation scenarios. However, do not assume immutability; verify with the vendor whether the flaw permits INSERT, UPDATE, or DELETE operations in your deployment.

Can I mitigate this without upgrading immediately?

Yes, temporarily. Implement WAF rules blocking SQL keywords and metacharacters in tRecIdListe, restrict network access to trec.php via firewall or VPN, and consider disabling the endpoint if not actively used. These measures reduce exposure while you arrange a vendor patch. However, such mitigations are not a permanent substitute for patching—treat them as interim risk reduction steps only.

Is this vulnerability actively exploited?

CVE-2018-25428 is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, which does not definitively prove the absence of exploitation. However, lack of KEV status does not guarantee safety; organizations should assume that any remotely exploitable SQL injection flaw may be targeted opportunistically by automated scanning and criminal groups. Prioritize patching as if active exploitation were occurring.

What data could an attacker realistically extract?

An attacker can query database metadata (table names, column definitions, schema structure) and potentially dump entire tables depending on database permissions and size. If the application database stores user credentials, financial records, or personal information, exposure could be severe. The actual blast radius depends on your data classification and what sensitive information is housed in the Paroiciel database.

This analysis is provided for informational purposes and reflects publicly disclosed vulnerability details as of the publication and modification dates shown. Patch availability, affected version scope, and vendor response may have changed; consult the official Paroiciel security advisory for authoritative guidance. This assessment does not constitute legal or compliance advice. Organizations should conduct their own risk analysis based on their deployment, data sensitivity, and regulatory obligations. SEC.co makes no warranty regarding the completeness or accuracy of third-party vendor information referenced herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).