CVE-2018-25257
Description
Adianti Framework 5.5.0 and 5.6.0 contains an SQL injection vulnerability that allows authenticated users to manipulate database queries by injecting SQL code through the name field in SystemProfileForm. Attackers can submit crafted SQL statements in the profile edit endpoint to modify user credentials and gain administrative access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Adianti Framework 5.5.0 and 5.6.0 SQL injection in SystemProfileForm allows authenticated users to modify credentials and gain admin access.
The vulnerability is an SQL injection in the Adianti Framework versions 5.5.0 and 5.6.0, specifically in the SystemProfileForm component. The name field is not properly sanitized, allowing authenticated users to inject arbitrary SQL statements [1][2].
An attacker with ordinary user privileges can exploit this by navigating to their profile edit page and injecting SQL code into the name field. The injection can modify database queries to change the login and password of any user, including the administrator [1].
Successful exploitation enables the attacker to overwrite the administrator's credentials, log in as admin, and gain full control over the application. The provided proof-of-concept demonstrates changing the admin account to a known username and password [1].
As of the disclosed information, no patch has been released. Users are advised to upgrade to a patched version if available or apply input validation and parameterized queries as a workaround [2].
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 5.5.0, 5.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.