VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25394

CVE-2018-25394

Description

Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the release_id parameter of boards_buttons/update_release.php. The release_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Kados R10 GreenBee suffers from an unauthenticated SQL injection in the release_id parameter of update_release.php, allowing attackers to extract database contents.

Vulnerability

Kados R10 GreenBee (version R10 GreenBee) contains an SQL injection vulnerability in the boards_buttons/update_release.php script. The release_id parameter is directly concatenated into SQL queries without sanitization, as shown in the source code: $request=new sqlRequest("SELECT * FROM kados_releases WHERE release_id=".$_REQUEST['release_id'],$cnx->num); [2]. This allows unauthenticated attackers to inject arbitrary SQL via a crafted GET request. The vulnerability affects all installations of Kados R10 GreenBee [1][2][3][4].

Exploitation

An attacker can exploit this vulnerability by sending a GET request to /boards_buttons/update_release.php with a malicious release_id parameter. No authentication is required. The exploit demonstrated in [2] uses a UNION-based payload to extract information. For example, the URL-encoded payload %2d%31%20%20%55%4e%49%4f%4e... (decoded: -1 UNION SELECT 1,CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),3,4,5,6,7,8,9-- -) retrieves the current database user, database name, and DBMS version [2]. The attacker only needs network access to the target web application.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries, leading to disclosure of sensitive database information such as user credentials, database contents, and server version. The attacker can potentially extract all data from the database, including user tables, project data, and configuration details [2][4]. The impact is limited to information disclosure; however, depending on database permissions, further escalation may be possible.

Mitigation

As of the available references, no official patch has been released for Kados R10 GreenBee. The vendor's website (kados.info) and SourceForge page do not mention a fix [1][3]. Users are advised to upgrade to a newer version if available, or implement input validation and parameterized queries for the release_id parameter. If no update is provided, consider disabling or restricting access to the vulnerable script. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.

References
  1. KADOS
  2. OffSec’s Exploit Database Archive
  3. KADOS – Scrum is simple but not easy… but it's easier with KADOS
  4. Kados R10 GreenBee SQL Injection via update_release.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The `release_id` and `feature_id` parameters are concatenated directly into SQL queries without sanitization, enabling SQL injection."

Attack vector

An unauthenticated attacker sends a crafted GET request to `/boards_buttons/update_release.php` (or `/boards_buttons/update_feature.php`) with a malicious `release_id` (or `feature_id`) parameter. The parameter value is concatenated directly into SQL statements, allowing UNION-based SQL injection. The attacker can extract the current database user, database name, and DBMS version. No authentication is required and the attack is performed over HTTP.

Affected code

The vulnerability exists in `/boards_buttons/update_release.php` (and `/boards_buttons/update_feature.php`). The `release_id` and `feature_id` parameters are concatenated directly into SQL queries without sanitization. The advisory notes that more than 40 files are vulnerable.

What the fix does

The advisory does not include a patch diff or remediation code. The fix would require parameterized queries or prepared statements for all SQL queries that use `$_REQUEST['release_id']` and `$_REQUEST['feature_id']` (and the other 40+ vulnerable files). Input validation and escaping of user-supplied values should also be applied.

Preconditions

  • networkAttacker must be able to send HTTP GET requests to the target web server.
  • authNo authentication is required; the vulnerability is accessible to unauthenticated users.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.