VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25399

CVE-2018-25399

Description

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the tick_lat and tick_lng parameters. Attackers can send GET requests to nearby.php with crafted SQL payloads to extract sensitive database information including usernames, database names, and version details.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

The Open ISES Project 3.30A has an SQL injection in nearby.php via the tick_lat and tick_lng parameters, allowing unauthenticated attackers to extract sensitive database data.

Vulnerability

The Open ISES Project version 3.30A (specifically 3.30A_050318) contains a SQL injection vulnerability in the nearby.php script. The application fails to sanitize user-supplied input passed through the tick_lat and tick_lng parameters in GET requests, allowing an attacker to inject arbitrary SQL commands into the underlying database query [1][4].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a crafted GET request to nearby.php with malicious SQL payloads in the tick_lat or tick_lng parameters. No prior authentication or special network position is required; the attacker only needs network access to the web server hosting the application [1][4]. A proof-of-concept exploit is publicly available, demonstrating injection through the tick_lat parameter [1].

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the application's database. This can lead to the extraction of sensitive information such as database usernames, database names, and database version details. The impact is limited to data confidentiality and integrity; remote code execution is not directly achieved through this injection [1][4].

Mitigation

As of the latest stable release (v3.44.1), no specific patch for CVE-2018-25399 has been confirmed by the vendor. The vendor homepage has been updated with newer versions, but the exact fix timeline is unclear [2][3]. Users are advised to upgrade to the latest available version of Tickets CAD (formerly Open ISES) and apply input validation to all user-controlled parameters, especially those in nearby.php. If an upgrade is not immediately possible, a web application firewall (WAF) rule blocking SQL injection patterns in the tick_lat and tick_lng parameters may serve as a temporary workaround.

References
  1. OffSec’s Exploit Database Archive
  2. Download Tickets CAD (Open ISES)
  3. Free Open Source Computer Aided Dispatch
  4. The Open ISES Project 3.30A SQL Injection via nearby.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"User-supplied input from the `tick_lat` and `tick_lng` GET parameters is concatenated directly into SQL queries without sanitization or parameterization."

Attack vector

An unauthenticated attacker sends a crafted GET request to `nearby.php` with malicious SQL payloads in the `tick_lat` and `tick_lng` parameters [ref_id=1]. The application fails to sanitize these inputs, allowing the attacker to inject arbitrary SQL commands. This enables extraction of database contents such as usernames, database names, and version information via error-based or time-based techniques. The attack is network-accessible and requires no authentication.

Affected code

The vulnerability exists in `nearby.php` where the `tick_lat` and `tick_lng` GET parameters are passed directly into SQL queries without sanitization. The exploit-db reference also shows similar injection points in `main.php`, `ajax/form_post.php`, `sever_graph.php`, `inc_types_graph.php`, `city_graph.php`, and `add_facnote.php` [ref_id=1].

What the fix does

The bundle does not include a patch. The advisory only documents the exploit proof-of-concept and does not provide remediation guidance or a fix commit [ref_id=1]. To close the vulnerability, the application would need to use parameterized queries or prepared statements and properly sanitize all user-supplied input before including it in SQL statements.

Preconditions

  • configThe target must be running The Open ISES Project version 3.30A_050318
  • authNo authentication is required; the vulnerable endpoints are publicly accessible
  • networkThe attacker must be able to send HTTP GET requests to the vulnerable PHP scripts
  • inputThe attacker supplies SQL payloads in the tick_lat, tick_lng, id, ticket_id, or p1 parameters

Reproduction

Send a GET request to `http://localhost/[PATH]/nearby.php?tick_lat=1)%20anD%20EXTRactVALUE(112,conCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELect%20(ELT(112=112,1))),0x496873616e2053656e63616e))%20AND%20(66=66&tick_lng=1` [ref_id=1]. The server responds with an HTTP 200 OK and the response body contains database error messages that leak the current database user, database name, and MySQL version.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.