CVE-2018-25419

Vulnerability

AiOPMSD Final 1.0.0 (build 4, released September 5, 2017) contains a SQL injection vulnerability in genre.php. The genre parameter is directly concatenated into SQL queries without sanitization or parameterization. This affects unauthenticated GET requests to genre.php, allowing injection of arbitrary SQL payloads. The underlying script is built on a MySQL database and PHP, and the vulnerable code exists in the genre filtering logic [1][2][3].

Exploitation

An attacker can send a crafted GET request to genre.php with a malicious genre parameter. No authentication is required, and the script does not validate or escape the input. The attacker can use standard SQL injection techniques (e.g., UNION SELECT statements) to extract data from the database. The attack can be performed remotely with only network access to the web application [3].

Impact

Successful exploitation allows the attacker to retrieve sensitive information from the database, including usernames, database names, MySQL version details, and other stored data. This can lead to further compromise of the application and disclosure of user credentials or internal configuration. The attack impacts confidentiality primarily, though chained with other vulnerabilities could allow escalation [3].

Mitigation

No official patch has been released as AiOPMSD Final 1.0.0 appears to be a final, unsupported release (last updated 2017). Users should disable the genre.php endpoint, apply input validation/filtering, or migrate to a maintained alternative. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date [1][2][3].