PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25405 Endonesia CVE debrief

CVE-2018-25405 documents multiple SQL injection vulnerabilities in eNdonesia Portal 8.7, specifically within the mod.php component. Unauthenticated attackers can inject malicious SQL through multiple parameters—artid, cid, did, contid, and aboutid—to execute arbitrary database queries. Successful exploitation enables extraction of sensitive information including usernames, database names, and version details. The vulnerability carries a HIGH severity CVSS score of 8.8. The vendor identification remains uncertain with low confidence; the reference domain candidate suggests 'Endonesia' but requires review. The CVE was published and last modified on 2026-05-30. No Known Exploited Vulnerabilities (KEV) listing exists for this issue.

Vendor
Endonesia
Product
eNdonesia Portal
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-30
Original CVE updated
2026-05-30
Advisory published
2026-05-30
Advisory updated
2026-05-30

Who should care

Organizations running eNdonesia Portal 8.7, web application security teams, database administrators, and security operations centers monitoring for unauthenticated injection attacks against legacy PHP applications.

Technical summary

The vulnerability exists in eNdonesia Portal 8.7's mod.php file, which fails to properly sanitize user input across five parameters: artid, cid, did, contid, and aboutid. An unauthenticated remote attacker can craft malicious HTTP requests containing SQL injection payloads to manipulate backend database queries. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N) reflects network accessibility, low attack complexity, no required privileges or user interaction, high confidentiality impact, and low integrity impact with no availability impact. Successful exploitation yields sensitive database metadata including usernames, database names, and version information without authentication.

Defensive priority

HIGH

Recommended defensive actions

  • Apply input validation and parameterized queries to all user-supplied parameters in mod.php, particularly artid, cid, did, contid, and aboutid
  • Implement prepared statements or stored procedures to eliminate SQL injection attack surface
  • Restrict database account privileges used by the application to least-privilege principles
  • Deploy Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting these parameters
  • Monitor application logs for anomalous database query patterns or unauthorized information extraction attempts
  • Review and update to a patched version of eNdonesia Portal if available from the vendor
  • Conduct security code review of mod.php and related modules for additional injection vulnerabilities

Evidence notes

The CVE description confirms unauthenticated SQL injection via five distinct parameters in mod.php. CVSS 4.0 vector indicates network attack vector with low attack complexity, no privileges required, and high confidentiality impact. Source references include the eNdonesia project website, SourceForge download page, Exploit-DB entry 45654, and a VulnCheck advisory. The vulnerability is classified under CWE-89 (SQL Injection). NVD status is 'Received' as of the source publication date.

Official resources

CVE-2018-25405 was published on 2026-05-30T16:16:55.650Z and modified the same day. The vulnerability affects eNdonesia Portal version 8.7. The vendor attribution is marked as low-confidence based on reference domain candidate evidence, and