CVE-2018-25402 in Open ISES Project
Summary
by MITRE • 05/29/2026
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to inc_types_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/29/2026
The Open ISES Project version 3.30A presents a critical SQL injection vulnerability that fundamentally compromises database security through improper input validation mechanisms. This vulnerability exists within the inc_types_graph.php script where the p1 parameter fails to properly sanitize user-supplied input, creating an exploitable pathway for malicious actors to inject arbitrary SQL commands. The vulnerability is particularly dangerous because it requires no authentication credentials, making it accessible to any attacker who can submit HTTP GET requests to the affected endpoint.
The technical flaw manifests as a classic SQL injection vulnerability classified under CWE-89, where the application directly incorporates user input into SQL query construction without adequate sanitization or parameterization. When an attacker crafts a malicious payload and submits it through the p1 parameter, the application processes this input as part of the SQL statement rather than as data, enabling complete database command execution. This vulnerability aligns with ATT&CK technique T1071.005 for application layer protocol manipulation and T1046 for network service discovery.
The operational impact of this vulnerability is severe and multifaceted, as attackers can extract sensitive database information including but not limited to schema names, table structures, user credentials, and application data. The ability to perform unauthorized data access and potential database manipulation creates significant risk for organizations relying on this system. Attackers can leverage this vulnerability to escalate privileges, perform data exfiltration, or even execute destructive operations on the underlying database infrastructure. The unauthenticated nature of the attack means that organizations cannot rely on access controls to prevent exploitation, making this vulnerability particularly concerning for publicly accessible systems.
Mitigation strategies should focus on implementing proper input validation and parameterized queries to prevent SQL injection attacks. Organizations should immediately apply the vendor-provided patch for Open ISES Project 3.30A or upgrade to a secure version that addresses this vulnerability. Additionally, implementing web application firewalls, input sanitization mechanisms, and regular security assessments can help prevent similar vulnerabilities from emerging in the future. The remediation process should include thorough code review to identify and address other potential injection points within the application and establishing robust database access controls to limit the impact of any successful attacks.