VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25400

CVE-2018-25400

Description

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the ajax/form_post.php endpoint with crafted SQL payloads to extract sensitive database information including schema names and other data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2018-25400 is an unauthenticated SQL injection in The Open ISES Project 3.30A via the 'id' parameter in ajax/form_post.php, allowing attackers to extract database contents.

Vulnerability

The Open ISES Project version 3.30A (and possibly earlier versions) contains a SQL injection vulnerability in the ajax/form_post.php endpoint. The id parameter, as referred to in the official description and reference [4], is not properly sanitized before being used in SQL queries. This allows an unauthenticated remote attacker to inject arbitrary SQL commands. The exploit-db reference [1] also demonstrates a proof of concept using the tick_lat parameter, indicating multiple vulnerable parameters may exist in the same script. The vulnerable software version is explicitly 3.30A (build 050318) as noted in the exploit [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to the ajax/form_post.php endpoint with a malicious SQL payload in the id parameter (or potentially other parameters like tick_lat) [1][4]. The attack is unauthenticated, requiring no prior access or user interaction. The attacker only needs network connectivity to the target web application. No special privileges or race conditions are required; the injection is straightforward through the HTTP request.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the backend database. This can lead to extraction of sensitive information, including database schema names, table contents, and potentially user credentials or other confidential data [4]. The CVSS v3 score of 8.2 (High) reflects the high confidentiality impact and low integrity impact, as the primary risk is data disclosure rather than data modification or denial of service.

Mitigation

As of the available references, no official patch or fixed version has been released by the vendor. The project source code is available on SourceForge [2][3], and the latest stable version noted on the vendor homepage is v3.44.1 [3]. However, it is not confirmed whether this version addresses the vulnerability. Users should review the application code and apply input sanitization on all user-supplied parameters in form_post.php as a workaround. If no official fix is available for version 3.30A, upgrading to the latest release or implementing a web application firewall rule to block malicious SQL patterns is recommended.

References
  1. OffSec’s Exploit Database Archive
  2. Download Tickets CAD (Open ISES)
  3. Free Open Source Computer Aided Dispatch
  4. The Open ISES Project 3.30A SQL Injection via form_post.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application does not sanitize or parameterize user-supplied input in the 'id' parameter of ajax/form_post.php, allowing direct SQL command injection."

Attack vector

An unauthenticated attacker sends a crafted GET request to `ajax/form_post.php` with a malicious SQL payload in the `id` parameter [ref_id=2]. The application fails to neutralize special elements in the input, allowing the attacker to execute arbitrary SQL commands [CWE-89]. The exploit-db reference shows that the attacker can extract database schema names and other sensitive information using error-based techniques such as `EXTRACTVALUE` [ref_id=1]. No authentication is required, and the attack is performed over the network with low complexity.

Affected code

The vulnerability exists in `ajax/form_post.php`, where the `id` parameter is passed directly into SQL queries without sanitization. Multiple other endpoints are also affected, including `nearby.php`, `sever_graph.php`, `inc_types_graph.php`, `city_graph.php`, and `add_facnote.php`, as demonstrated in the exploit-db reference [ref_id=1].

What the fix does

The advisory does not include a patch diff or specific remediation code. The recommended fix is to properly neutralize special elements used in SQL commands by using parameterized queries or prepared statements instead of concatenating user input directly into SQL strings [CWE-89]. Without a patch, the application remains vulnerable to SQL injection through multiple GET parameters across several endpoints.

Preconditions

  • networkThe attacker must be able to send HTTP GET requests to the target server on a reachable network path.
  • authNo authentication or prior session is required; the vulnerability is exploitable by unauthenticated attackers.
  • inputThe vulnerable parameter (e.g., 'id' in form_post.php) must accept user-supplied input that is directly concatenated into an SQL query.

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.