CVE-2018-25395 Kados CVE debrief

Who should care

Organizations running Kados R10 GreenBee for project management; security teams responsible for legacy PHP application security; developers maintaining forked versions of Kados; incident response teams monitoring for SQL injection indicators of compromise

Technical summary

The vulnerability resides in boards_buttons/update_feature.php where the feature_id parameter is directly concatenated into SQL queries without sanitization. An unauthenticated attacker can send a crafted GET request with a UNION-based SQL payload to execute arbitrary queries. Successful exploitation enables extraction of database metadata including current database user, database name, and DBMS version. The attack requires no authentication and can be performed remotely with low complexity.

Defensive priority

HIGH

Recommended defensive actions

• Apply input validation and parameterized queries to the feature_id parameter in boards_buttons/update_feature.php
• Implement prepared statements or stored procedures to prevent SQL injection
• Conduct code review of all database interaction points in the Kados R10 GreenBee codebase
• Deploy Web Application Firewall (WAF) rules to detect and block SQL injection attempts against the identified endpoint
• Monitor access logs for suspicious GET requests to boards_buttons/update_feature.php containing SQL keywords or UNION statements
• Consider migrating to actively maintained project management software if vendor support is unavailable

Evidence notes

SQL injection confirmed via direct source code analysis showing unsanitized parameter concatenation. CWE-89 (Improper Neutralization of Special Elements in SQL Command) is the primary weakness classification. The CVSS 4.0 vector indicates high confidentiality impact with no integrity or availability impact under the base metrics.

Official resources