CVE-2018-25395
Description
Kados R10 GreenBee contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the feature_id parameter of boards_buttons/update_feature.php. The feature_id value is concatenated directly into SQL statements without sanitization, allowing attackers to send a crafted GET request with a UNION-based payload to extract sensitive database information including the current user, database name, and DBMS version.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Kados R10 GreenBee has an unauthenticated SQL injection in update_feature.php allowing database information extraction.
Vulnerability
Kados R10 GreenBee is vulnerable to SQL injection in the boards_buttons/update_feature.php script. The feature_id parameter is directly concatenated into SQL queries without sanitization, allowing injection of arbitrary SQL [4]. Affected version is R10 GreenBee [1][2].
Exploitation
An unauthenticated attacker can send a crafted GET request with a malicious feature_id parameter containing a UNION SELECT payload. No authentication or user interaction is required [4]. The attack can be performed remotely over HTTP.
Impact
Successful exploitation allows the attacker to extract sensitive database information, including the current database user, database name, and DBMS version. This exposure could lead to further compromise of the application and its data [4].
Mitigation
No official patch or security update has been released by the vendor as of the publication date. Users should consider disabling the vulnerable endpoint or implementing input validation and parameterized queries. The software is open source and may be forked for fixes [1][2][4].
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The `feature_id` and `release_id` parameters are concatenated directly into SQL queries without sanitization, enabling SQL injection."
Attack vector
An unauthenticated attacker sends a crafted GET request to `/boards_buttons/update_feature.php` (or `/boards_buttons/update_release.php`) with a URL-encoded UNION-based SQL payload in the `feature_id` (or `release_id`) parameter [ref_id=1]. The parameter value is concatenated directly into the SQL statement without sanitization, allowing the attacker to extract the current database user, database name, and DBMS version via the `CONCAT_WS` function in the response [ref_id=1]. No authentication is required, and the attack is performed over HTTP.
Affected code
The vulnerability exists in `/boards_buttons/update_feature.php` and `/boards_buttons/update_release.php`. In `update_feature.php`, the `feature_id` parameter is concatenated directly into a SQL query: `"SELECT * FROM kados_features WHERE feature_id=".$_REQUEST['feature_id']` [ref_id=1]. The advisory notes that more than 40 files are similarly vulnerable [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory does not include a vendor fix or remediation guidance. To close the vulnerability, the application must use parameterized queries (prepared statements) or properly sanitize/escape the `feature_id` and `release_id` input values before concatenation into SQL statements.
Preconditions
- configThe target must be running Kados R10 GreenBee with the vulnerable PHP files accessible over HTTP.
- authNo authentication is required; the attacker can be unauthenticated.
- networkThe attacker must be able to send HTTP GET requests to the vulnerable endpoints.
- inputThe attacker supplies a malicious SQL payload via the feature_id or release_id GET parameter.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.