← back
CVE-2018-25407

eNdonesia Portal 8.7 SQL Injection via mod.php

CVSS 8.8 HIGHEPSS 0.3%CWE-89
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
Affected products
Endonesia · eNdonesia Portal
public PoCs found1
cve_referencewww.exploit-db.com/exploits/45654unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://sourceforge.net/projects/endonesia/files/latest/downloadhttps://www.exploit-db.com/exploits/45654https://www.vulncheck.com/advisories/endonesia-portal-sql-injection-via-mod-php-3http://www.endonesia.org/