CVE-2018-25392
Description
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability in the log_activity function allowing authenticated users to extract database information.
Vulnerability
MaxOn ERP Software versions 8.x through 9.x are vulnerable to SQL injection in the log_activity function located in /pos/controllers/User.php (line 350) and /application/controllers/User.php (line 414) [1]. The function constructs a SQL query by directly concatenating user-supplied input from the nomor, user, and jenis POST parameters without sanitization [1][2]. This allows authenticated users to inject arbitrary SQL code.
Exploitation
An attacker must be an authenticated user of the MaxOn ERP system. By sending a POST request to /index.php/user/log_activity with malicious payloads in the nomor, user, or jenis parameters, the attacker can manipulate the SQL query. The provided proof-of-concept demonstrates injecting a UNION-based payload to extract database version and name [1]. The attack requires no special privileges beyond a valid session.
Impact
Successful exploitation enables an authenticated attacker to execute arbitrary SQL queries, leading to disclosure of sensitive database information such as the database version and database names [1][2]. The attacker can potentially extract other data from the database, depending on the database permissions.
Mitigation
As of the available references, no official patch has been released for this vulnerability. The vendor homepage is listed as http://www.talagasoft.com, but no update is mentioned [1]. Users should consider restricting access to the vulnerable endpoint or implementing input validation as a workaround. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: 8.x-9.x
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Direct concatenation of unsanitized user input into a SQL query string in the log_activity() function."
Attack vector
An authenticated attacker sends a POST request to `/index.php/user/log_activity` with malicious SQL code in the `nomor`, `user`, or `jenis` parameters. The payload is URL-encoded and injected directly into the SQL query string, allowing the attacker to extract database version and database name via error-based extraction (e.g., `EXTRACTVALUE` with `CONCAT` of `version()` and `database()`) [ref_id=1]. The attacker only needs a valid session cookie (e.g., `ci_session`) to trigger the injection.
Affected code
The vulnerability resides in the `log_activity()` function defined in `/pos/controllers/User.php` (line 350) and `/application/controllers/User.php` (line 414). The function constructs a SQL query by directly concatenating user-supplied values from the `nomor`, `user`, and `jenis` POST parameters without sanitization [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory shows that the `log_activity()` function concatenates POST parameters directly into a SQL string without parameterized queries or input escaping. To fix the vulnerability, the application must use prepared statements or properly escape all user-supplied input before including it in SQL queries.
Preconditions
- authThe attacker must have a valid authenticated session (ci_session cookie).
- networkThe attacker must be able to send HTTP POST requests to the target server.
- inputThe attacker supplies malicious SQL in the nomor, user, or jenis POST parameters.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.