PatchSiren

PatchSiren cyber security CVE debrief

CVE-2018-25319 Unknown Vendor CVE debrief

CVE-2018-25319 describes an authenticated SQL injection issue in the REDAXO CMS Addon MyEvents 2.2.1. The supplied corpus says attackers can pass malicious myevents_id values to event_add.php over GET requests and potentially extract or modify database data. The NVD record maps the issue to CWE-89 and rates it High severity with a CVSS 7.1 score.

Vendor
Unknown Vendor
Product
Unknown
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-17
Original CVE updated
2026-05-18
Advisory published
2026-05-17
Advisory updated
2026-05-18

Who should care

Administrators and developers running REDAXO sites with the MyEvents addon installed, especially any deployment that still uses version 2.2.1 or exposes event_add.php to authenticated users. Security teams should also care if the application stores sensitive data in the backend database or if authenticated web requests are not closely monitored.

Technical summary

The vulnerability is an SQL injection in the MyEvents addon’s event_add.php handler. According to the supplied description, the myevents_id parameter is not safely handled, allowing an authenticated attacker to influence database queries. The expected impact is confidentiality and integrity loss at the database layer, consistent with the NVD’s CWE-89 classification and the reported ability to extract or alter sensitive data.

Defensive priority

High. The issue requires authentication, but it affects a database-facing input path and can expose or alter sensitive records. Prioritize remediation on any exposed REDAXO deployments that include MyEvents 2.2.1, especially if the addon is still active or reachable by less-trusted authenticated users.

Recommended defensive actions

  • Identify whether REDAXO CMS Addon MyEvents is installed and confirm the exact version in use.
  • Upgrade to a fixed version or remove/disable the MyEvents addon if it is not required.
  • Review event_add.php access controls and ensure only necessary authenticated roles can reach it.
  • Inspect application and database logs for suspicious GET requests containing unusual myevents_id values.
  • Hunt for signs of SQL injection attempts in web logs, WAF logs, and database error logs.
  • Limit the database account used by the application to the minimum privileges needed.
  • Validate that server-side input handling uses parameterized queries for all addon database access.
  • If exposure is suspected, review database integrity and sensitive-record access after remediation.

Evidence notes

This debrief is based only on the supplied NVD-derived corpus and its listed references. The corpus explicitly states an authenticated SQL injection in REDAXO CMS Addon MyEvents 2.2.1 via the myevents_id parameter on event_add.php, and the NVD metadata assigns CWE-89. The source metadata also lists references to a GitHub repository, Exploit-DB, and a VulnCheck advisory, but their contents were not independently inspected here.

Official resources

The supplied corpus presents this issue as an authenticated SQL injection affecting REDAXO CMS Addon MyEvents 2.2.1, with the record published in the provided timeline metadata on 2026-05-17. No exploit steps are included here.