PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25404 Open ISES CVE debrief

A high-severity SQL injection vulnerability exists in The Open ISES Project version 3.30A. The flaw resides in the `add_facnote.php` endpoint, where the `ticket_id` parameter fails to properly sanitize user input, allowing unauthenticated attackers to inject and execute arbitrary SQL queries. Successful exploitation enables extraction of sensitive database information, including version details and other data, without requiring authentication. The vulnerability carries a CVSS 4.0 score of 8.8 (HIGH severity), reflecting network accessibility, low attack complexity, no required privileges, and high confidentiality impact. The Open ISES Project is an open-source emergency services information system hosted on SourceForge. Organizations running version 3.30A should prioritize patching or implementing input validation controls on affected endpoints.

Vendor
Open ISES
Product
Open ISES Project
CVSS
HIGH 8.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-29
Original CVE updated
2026-05-29
Advisory published
2026-05-29
Advisory updated
2026-05-29

Who should care

Organizations operating emergency services information systems, public safety IT administrators, and security teams responsible for open-source incident management platforms

Technical summary

The Open ISES Project 3.30A contains an unauthenticated SQL injection vulnerability in the add_facnote.php endpoint. The ticket_id parameter accepts unsanitized user input that is directly concatenated into SQL queries, enabling attackers to execute arbitrary SQL commands via crafted GET requests. The vulnerability allows extraction of database version information and other sensitive data without authentication credentials. CVSS 4.0 score: 8.8 (HIGH).

Defensive priority

high

Recommended defensive actions

  • Apply vendor patches for The Open ISES Project 3.30A when available, or upgrade to a non-vulnerable version
  • Implement parameterized queries or prepared statements for all database interactions in add_facnote.php
  • Apply strict input validation and sanitization on the ticket_id parameter, allowing only expected numeric formats
  • Deploy Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting add_facnote.php
  • Review application logs for historical exploitation attempts involving ticket_id parameter manipulation
  • Restrict network access to Open ISES administrative interfaces to trusted IP ranges where possible
  • Conduct database audit to identify potential unauthorized data access if exploitation is suspected

Evidence notes

Vulnerability disclosed via VulnCheck advisory; Exploit-DB entry 45645 documents the SQL injection vector. NVD record shows Deferred status with CVSS 4.0 vector. SourceForge links confirm project hosting and download availability.

Official resources

2026-05-29