CVE-2018-25429: SQL Injection in Paroiciel 11.20 – zpro.php zProIdPro Parameter
Paroiciel version 11.20 contains an SQL injection vulnerability in the zpro.php endpoint that allows authenticated users to execute arbitrary database queries by manipulating the zProIdPro parameter. An attacker with valid credentials can craft malicious SQL statements to extract sensitive information from the database, including usernames, database names, and version details. This is a post-authentication attack that does not require user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro parameter to extract sensitive database information including usernames, databases, and version details.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the zpro.php file where the zProIdPro parameter is processed without proper input validation or parameterized query construction. Attackers can inject SQL metacharacters and commands through GET requests to bypass query logic and execute unintended SQL operations. The flaw maps to CWE-89 (SQL Injection) and allows extraction of database schema and content through error-based or union-based injection techniques. The attack surface is limited to authenticated sessions, reducing but not eliminating risk in environments with shared or compromised credentials.
Business impact
This vulnerability enables insider threats and compromised account holders to exfiltrate sensitive data stored in Paroiciel databases without triggering typical access controls. Organizations relying on Paroiciel for sensitive operations face potential data breaches, regulatory compliance violations (GDPR, HIPAA, PCI-DSS depending on data stored), and reputational damage. The ability to extract database metadata and user credentials amplifies the risk of lateral movement and privilege escalation within the affected infrastructure.
Affected systems
Paroiciel version 11.20 is confirmed vulnerable. Organizations should verify whether they are running this specific version or any prior versions that may contain the same flaw. The vendor product list was not provided in available advisories, so consultation with Paroiciel vendor documentation or support is necessary to determine the full scope of affected installations and whether versions before or after 11.20 are impacted.
Exploitability
Exploitation requires valid authentication credentials to access the zpro.php endpoint, which significantly raises the bar compared to unauthenticated attacks. However, the vulnerability is straightforward to exploit once authenticated—attackers need only craft and send a single HTTP GET request with a malicious SQL payload. No special tools or complex conditions are required. The CVSS vector reflects low attack complexity and no user interaction needed, making this a high-priority concern for organizations with weak access controls or credential compromise risks.
Remediation
Apply the security patch released by Paroiciel for version 11.20. Ensure input validation and use parameterized queries (prepared statements) to neutralize SQL injection. Implement principle of least privilege by restricting database account permissions to the minimum necessary for application functions. Consider network segmentation to limit access to zpro.php from trusted hosts only, and monitor authentication logs for suspicious account activity.
Patch guidance
Contact Paroiciel support or check their advisory portal for the patched version addressing this SQL injection flaw. Verify patch availability and compatibility with your deployment environment before applying. Test patches in a non-production environment to ensure no functional regression. Once patches are available, prioritize deployment to systems running version 11.20 given the HIGH severity rating and ease of exploitation for authenticated users.
Detection guidance
Monitor HTTP GET requests to zpro.php for unusual zProIdPro parameter values containing SQL keywords (SELECT, UNION, OR, AND, etc.) or metacharacters (single quotes, dashes, comments). Enable database query logging to detect anomalous SQL execution patterns, such as queries attempting to access system tables or unusual data extraction. Alert on failed SQL syntax errors returned to web clients, which may indicate injection attempts. Review authentication logs for credential abuse or concurrent sessions from unexpected locations.
Why prioritize this
Although the CVSS score is 7.1 (HIGH), the authentication requirement limits immediate risk in properly secured environments. However, this should still be prioritized for patching within 30 days due to: (1) high confidentiality impact (C:H) permitting full database disclosure, (2) straightforward exploitation once authenticated, (3) potential for credential harvesting enabling further attacks, and (4) applicability to any organization with weak password policies or credential compromise incidents.
Risk score, explained
The CVSS 3.1 score of 7.1 reflects a HIGH-severity vulnerability with network-accessible attack vector, low attack complexity, and high confidentiality impact. The requirement for authentication (PR:L) prevents it from reaching a CRITICAL score, but the high confidentiality impact and ability to extract sensitive identifiers justify the elevated rating. Integrity impact is low (data can be modified but is not the primary objective), and availability is not affected.
Frequently asked questions
Does this vulnerability allow unauthenticated attackers to access data?
No. The vulnerability requires valid authentication credentials to reach the vulnerable zpro.php endpoint. An attacker must already have a legitimate user account or have compromised one to exploit this flaw. This significantly reduces the attack surface compared to unauthenticated SQL injection flaws.
Can we mitigate this without patching?
While patching is the definitive solution, temporary mitigations include: restricting network access to zpro.php to trusted internal subnets, implementing Web Application Firewall (WAF) rules to block requests containing SQL injection patterns in the zProIdPro parameter, and enforcing strict password policies to reduce credential compromise risk. These are not substitutes for patching and should only be interim measures.
Why is a HIGH severity rating assigned if authentication is required?
The HIGH rating reflects the high confidentiality impact—an authenticated attacker can extract the entire database including usernames and credentials. This is a significant breach of confidentiality. Although authentication is required, the ease of exploitation and the sensitivity of data at risk justify the elevated severity. Additionally, compromised credentials are common in security incidents.
How does this differ from other SQL injection vulnerabilities?
This SQL injection is post-authentication, meaning it requires a valid user account rather than being exploitable by anonymous attackers. This limits the attacker pool but increases insider threat risk. The vulnerability is also specific to a single parameter and endpoint, making it easier to detect and protect via targeted WAF rules or input validation hardening.
This analysis is provided for informational purposes only and does not constitute security advice. Verify all technical details, patch availability, and vendor recommendations against official Paroiciel advisories and documentation. Test patches in non-production environments before deployment. SEC.co does not assume liability for the accuracy of vendor-specific details or patch timelines, which may vary by region and deployment type. Organizations should consult with Paroiciel directly for support and the most current remediation guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access