CVE-2018-25403
Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to city_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated SQL injection in Open ISES Project 3.30A via p1 parameter in city_graph.php allows attackers to extract database data.
Vulnerability
The Open ISES Project version 3.30A is vulnerable to SQL injection in the city_graph.php script. An unauthenticated attacker can inject arbitrary SQL commands through the p1 GET parameter, as the input is not properly sanitized before being used in a database query [1][4]. The vulnerability exists in versions up to and including 3.30A.
Exploitation
An attacker can exploit this vulnerability by sending a crafted GET request to city_graph.php with a malicious SQL payload in the p1 parameter. No authentication or prior access is required. The attack can be performed remotely over HTTP [1].
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, including schema names, table structures, and arbitrary data. This leads to a compromise of confidentiality. The impact on integrity and availability is limited [4].
Mitigation
No official patch or workaround has been released for version 3.30A. The vendor has released version 3.44.1, but it is unclear if this addresses the vulnerability [3]. Users should consider upgrading to the latest version and monitor for security updates.
AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: = 3.30A
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"User-supplied input is directly concatenated into SQL queries without sanitization or parameterization."
Attack vector
An unauthenticated attacker sends crafted GET requests to any of the vulnerable endpoints (e.g., `city_graph.php?p1=[SQL]`) with malicious SQL payloads injected into the `p1` parameter [ref_id=1]. The application fails to sanitize or parameterize the input, allowing the attacker to execute arbitrary SQL commands such as `EXTRACTVALUE` to extract database schema names, user credentials, and version information. No authentication is required, and the attack is performed over HTTP with standard URL-encoded payloads.
Affected code
The vulnerability exists in multiple PHP scripts including `city_graph.php`, `sever_graph.php`, `inc_types_graph.php`, `nearby.php`, `ajax/form_post.php`, and `add_facnote.php`. These files accept user-controlled parameters (`p1`, `tick_lat`, `tick_lng`, `id`, `ticket_id`) that are directly concatenated into SQL queries without sanitization.
What the fix does
The advisory does not include a patch or remediation guidance. To fix the vulnerability, the application must use prepared statements or parameterized queries for all database interactions, and user-supplied input should be strictly validated or escaped before being included in SQL statements.
Preconditions
- networkThe attacker must be able to send HTTP GET requests to the target server.
- authNo authentication or session is required; the vulnerable endpoints are publicly accessible.
- inputThe vulnerable parameters (p1, tick_lat, tick_lng, id, ticket_id) must be accepted by the application.
Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.