VYPR
← All advisories
High severity8.2NVD Advisory· Published May 29, 2026· Updated May 29, 2026

CVE-2018-25404

CVE-2018-25404

Description

The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the ticket_id parameter. Attackers can send GET requests to add_facnote.php with crafted SQL payloads to extract sensitive database information including version details and other data.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2018-25404: Unauthenticated SQL injection in The Open ISES Project 3.30A via ticket_id parameter in add_facnote.php allows arbitrary database queries.

Vulnerability

The Open ISES Project 3.30A contains an SQL injection vulnerability in the add_facnote.php endpoint. An unauthenticated attacker can inject arbitrary SQL commands through the ticket_id parameter (also referred to as tick_lat in proof-of-concept code). Affected version is 3.30A (specifically build 3.30A_050318 as noted in [1]). The vulnerability is classified as CWE-89 [4] and is reachable via GET requests without any authentication requirement.

Exploitation

An attacker sends a crafted GET request to /add_facnote.php with a malicious payload in the ticket_id parameter [1]. No authentication or prior access is needed; the vulnerability is exploitable remotely over the network [4]. The proof-of-concept demonstrates injection by appending SQL syntax to extract database content. Attackers can use standard SQL injection techniques to enumerate the database structure and retrieve data.

Impact

Successful exploitation allows an unauthenticated attacker to execute arbitrary SQL queries against the database [4]. This results in confidentiality impact (high) as sensitive data such as database version information and other stored data can be extracted [4]. Integrity impact is low, and availability is not affected [4]. The attacker gains read access to the full database underpinning the application.

Mitigation

The vendor has not released a patched version specifically for this vulnerability. The download page on SourceForge [2] provides version 3.30A, and the official project site [3] lists v3.44.1 as the latest stable build, but it is unclear if this newer version addresses the SQL injection. No workaround is documented. Users should monitor the vendor homepage for updates or consider restricting access to add_facnote.php via web server rules. The vulnerability is not known to be listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.

References
  1. OffSec’s Exploit Database Archive
  2. Download Tickets CAD (Open ISES)
  3. Free Open Source Computer Aided Dispatch
  4. The Open ISES Project 3.30A SQL Injection via add_facnote.php

AI Insight generated on May 29, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing input sanitization and lack of parameterized queries allow SQL injection through multiple GET parameters."

Attack vector

An unauthenticated attacker can send crafted GET requests to any of the vulnerable endpoints (e.g., `add_facnote.php?ticket_id=[SQL]`) with SQL payloads injected into the `ticket_id`, `tick_lat`, `tick_lng`, `id`, or `p1` parameters. The application does not sanitize or parameterize these inputs, allowing the attacker to execute arbitrary SQL statements. The exploit uses techniques such as `EXTRACTVALUE` and `AND`-based blind injection to extract database version, user, and schema information [ref_id=1]. No authentication is required, and the attack is performed over HTTP.

Affected code

The vulnerability exists in multiple PHP files of The Open ISES Project 3.30A, including `add_facnote.php`, `nearby.php`, `ajax/form_post.php`, `sever_graph.php`, `inc_types_graph.php`, and `city_graph.php`. These scripts pass unsanitized user-supplied parameters (`ticket_id`, `tick_lat`, `tick_lng`, `id`, `p1`) directly into SQL queries without proper escaping or parameterization.

What the fix does

The advisory does not include a published patch. To remediate the vulnerability, the application must use prepared statements or parameterized queries for all database interactions, and strictly validate or sanitize all user-supplied input before including it in SQL statements. Without a fix, an attacker can continue to extract sensitive database contents.

Preconditions

  • networkThe attacker must be able to send HTTP GET requests to the target web server.
  • authNo authentication or prior session is required.
  • inputThe vulnerable parameters (ticket_id, tick_lat, tick_lng, id, p1) must be accepted by the application.

Reproduction

Send a GET request to `http://TARGET/[PATH]/add_facnote.php?ticket_id=1+/*!00005ProcEDUre*/+/*!00005AnaLYSe*/+(extractvalue(0,/*!00005cONcat*/(0x27,0x3a,@@VErsion)),0)--+-`. The server responds with an HTTP 200 OK and the response body contains database version information, confirming the SQL injection [ref_id=1].

Generated on May 29, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.