PatchSiren cyber security CVE debrief
CVE-2018-25385 eregistrasi-kejuaraan-silat CVE debrief
CVE-2018-25385 documents an unauthenticated SQL injection vulnerability in E-Registrasi Pencak Silat version 18.10, a tournament registration application for the Indonesian martial art Pencak Silat. The flaw resides in the `id_partai` parameter of `monitor_nilai.php`, which fails to properly sanitize user-supplied input before incorporating it into SQL queries. Attackers can exploit this weakness via crafted GET requests to extract sensitive database contents including administrative credentials and user data. The vulnerability carries a CVSS 4.0 score of 8.8 (HIGH severity), reflecting network accessibility, low attack complexity, no required privileges, and high confidentiality impact. The weakness is classified as CWE-89 (SQL Injection). The CVE record was published on May 29, 2026, with subsequent modification the same day; the underlying vulnerability dates to 2018 based on the CVE identifier and exploit publication timing. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog.
- Vendor
- eregistrasi-kejuaraan-silat
- Product
- Registrasi Pencak Silat
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations operating E-Registrasi Pencak Silat tournament registration systems; PHP web application developers maintaining legacy codebases; security teams responsible for Indonesian martial arts competition infrastructure; database administrators managing MySQL backends for sports management applications
Technical summary
The vulnerability exists in `monitor_nilai.php` where the `id_partai` parameter is directly concatenated into SQL queries without sanitization or parameterization. An attacker can submit malicious SQL payloads through GET requests to this endpoint, resulting in arbitrary SQL execution against the backend MySQL database. Successful exploitation enables extraction of sensitive data including administrator credentials, competitor information, and tournament records. The attack requires no authentication and can be conducted remotely with minimal complexity.
Defensive priority
HIGH
Recommended defensive actions
- Apply input validation and parameterized queries to the id_partai parameter in monitor_nilai.php
- Implement prepared statements with bound parameters for all database interactions
- Conduct code review of entire application for similar SQL injection patterns
- Deploy Web Application Firewall rules to detect and block SQL injection payloads
- Remove or restrict access to monitor_nilai.php if functionality is not required
- Monitor database query logs for anomalous patterns indicative of exploitation
- Consider migrating to maintained alternative software given uncertain vendor support status
Evidence notes
The vulnerability description and technical details are derived from official CVE metadata and VulnCheck advisory documentation. CVSS scoring follows NVD-assigned CVSS 4.0 vector. Vendor identification remains uncertain per NVD 'Deferred' status and 'Unknown Vendor' classification with low confidence.
Official resources
The vulnerability was disclosed through coordinated disclosure channels, with advisory publication by VulnCheck and exploit documentation in the Exploit Database. The affected software is distributed via SourceForge as an open-source PHP/My