CVE-2018-25418

Vulnerability

AiOPMSD Final 1.0.0 contains an SQL injection vulnerability in year.php. The application fails to sanitize the year GET parameter, allowing unauthenticated attackers to inject arbitrary SQL queries. This affects version 1.0.0 (build 4, released 2017-09-05) as available from the official SourceForge download [1][2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted GET request to year.php with a malicious payload in the year parameter. No authentication is required, as the vulnerable endpoint is publicly accessible. For example, appending an SQL injection payload such as a single quote (') or a UNION statement can trigger the vulnerability and expose database contents. The attacker only needs network access to the target server [3].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the underlying MySQL database. This can lead to the extraction of sensitive information, including usernames, database names, and database version details. The compromise impacts the confidentiality of the database and may also affect integrity and availability depending on the SQL commands executed [3].

Mitigation

As of the available references, no official patch has been released for this vulnerability. The vendor stated the final version with no further updates, and the project appears to be abandoned. Users are advised to disable or remove the vulnerable year.php file, implement input validation (e.g., allowlisting expected years), or migrate to an alternative solution. This CVE is not listed on the Known Exploited Vulnerabilities (KEV) catalog [1][2][3].