CVE-2018-25392 Talagasoft CVE debrief

Who should care

Organizations running MaxOn ERP Software versions 8.x or 9.x, particularly those with externally accessible installations. Database administrators and application security teams responsible for ERP system integrity. Security operations teams monitoring for web application attacks against enterprise resource planning platforms.

Technical summary

The log_activity function in MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability due to insufficient input sanitization on the nomor, user, and jenis parameters. Authenticated attackers can inject arbitrary SQL through POST requests to /index.php/user/log_activity, enabling extraction of database version and name information. The vulnerability is classified as HIGH severity with CVSS 4.0 score 7.1, requiring low attack complexity and authenticated privileges.

Defensive priority

HIGH

Recommended defensive actions

• Apply input validation and parameterized queries to the nomor, user, and jenis parameters in the log_activity function
• Implement least-privilege database access controls for the application database user
• Monitor web application logs for suspicious POST requests to /index.php/user/log_activity containing SQL keywords or unusual patterns
• Review and update Web Application Firewall rules to detect and block SQL injection attempts against ERP endpoints
• Verify vendor patch availability for MaxOn ERP Software versions 8.x and 9.x and prioritize deployment
• Conduct database activity monitoring to detect unauthorized query execution or schema enumeration attempts

Evidence notes

SQL injection confirmed via nomor, user, and jenis parameters in log_activity function. Attack vector requires authenticated POST requests to /index.php/user/log_activity. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N. CWE-89 (Improper Neutralization of Special Elements in SQL Command) identified as primary weakness.

Official resources