CVE-2018-25418 in AiOPMSD Final
Summary
by MITRE • 05/30/2026
AiOPMSD Final 1.0.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the year parameter. Attackers can send GET requests to year.php with crafted SQL payloads in the year parameter to extract sensitive database information including usernames, database names, and version details.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 05/31/2026
The AiOPMSD Final 1.0.0 application presents a critical sql injection vulnerability that fundamentally compromises database security through improper input validation. This vulnerability exists within the year parameter of the year.php endpoint, where the application fails to sanitize or escape user-supplied data before incorporating it into sql queries. The flaw allows unauthenticated attackers to inject malicious sql code directly through http get requests, bypassing all authentication mechanisms and providing direct access to backend database systems. The vulnerability stems from the application's reliance on dynamic sql construction without proper parameterization or input sanitization, creating an exploitable path for malicious actors to manipulate database operations.
This sql injection vulnerability enables attackers to execute arbitrary sql commands against the underlying database, potentially leading to complete system compromise and data exfiltration. The specific attack vector involves crafting malicious payloads in the year parameter of requests sent to year.php, which then get processed by the vulnerable application logic. Attackers can leverage this weakness to extract sensitive information including but not limited to database user credentials, database schema details, version information, and potentially other confidential data stored within the database. The vulnerability's impact extends beyond simple data extraction as it provides attackers with the capability to modify database contents, delete critical information, or even escalate privileges within the database environment.
The operational impact of this vulnerability is severe and multifaceted, affecting both data confidentiality and system integrity. Organizations using AiOPMSD Final 1.0.0 face potential exposure of sensitive information including user account details, system configurations, and business-critical data that may be stored in the affected database. The unauthenticated nature of this attack means that any external party can exploit the vulnerability without requiring valid credentials, significantly expanding the attack surface and making the system particularly vulnerable to automated scanning and exploitation. This vulnerability directly violates security principles outlined in cwe-89 sql injection and aligns with attack patterns described in the attack technique t1071.004 application layer protocol hijacking within the attack tactic t1003 credential access.
Mitigation strategies for this vulnerability must address both immediate remediation and long-term security improvements. The primary solution involves implementing proper input validation and parameterized queries throughout the application codebase, specifically ensuring that all user-supplied data passed to database operations undergoes proper sanitization and escaping. Organizations should implement prepared statements or parameterized queries to prevent sql injection attacks at the source. Additionally, input validation should be strengthened to reject malformed or suspicious data patterns, while access controls should be enforced to limit database access to authorized users only. Security monitoring and intrusion detection systems should be enhanced to detect and alert on suspicious sql query patterns. The vulnerability also highlights the importance of regular security assessments and code reviews to identify and remediate similar flaws in other application components, following the principle of defense in depth as recommended by industry standards and best practices.