CVE-2018-25430 in Paroiciel
Summary
by MITRE • 06/02/2026
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to extract sensitive database information including version details and other data.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/02/2026
This vulnerability exists within Paroiciel version 11.20 and represents a critical sql injection flaw that undermines the application's database security posture. The vulnerability specifically manifests through the eGeqIdEquipe parameter within the egeq.php endpoint, where insufficient input validation allows authenticated attackers to manipulate database queries through crafted sql payloads. The flaw enables attackers to execute arbitrary sql commands by simply appending malicious code to the eGeqIdEquipe parameter in get requests, effectively bypassing normal authentication mechanisms and database access controls.
The technical implementation of this vulnerability aligns with common sql injection patterns and maps directly to cwe-89 which defines improper neutralization of special elements used in an sql command. Attackers can leverage this weakness to extract sensitive database information including version details, user credentials, and other confidential data stored within the application's backend database. The authenticated nature of this vulnerability means that attackers must first establish valid credentials to exploit the flaw, but once authenticated, they can perform extensive data exfiltration and potentially escalate their privileges within the database environment.
The operational impact of this vulnerability extends beyond simple data theft to include potential system compromise and business disruption. Attackers can use the sql injection to gain unauthorized access to sensitive organizational data, potentially leading to regulatory compliance violations under standards such as gdpr and pci dss. The vulnerability creates a persistent threat vector that can be exploited repeatedly, making it particularly dangerous for organizations relying on the paroiciel application for critical business functions. Additionally, the extraction of database version information can provide attackers with valuable intelligence for planning further attacks against the system infrastructure.
Organizations should implement multiple layers of defense to mitigate this vulnerability including input validation and parameterized queries to prevent sql injection attacks. The recommended approach involves applying the latest security patches from the software vendor as soon as available, implementing proper input sanitization techniques, and utilizing web application firewalls to detect and block malicious sql payloads. Organizations should also consider implementing database activity monitoring solutions to detect anomalous sql query patterns that may indicate exploitation attempts. The mitigation strategy should align with nist cybersecurity framework guidelines and incorporate regular vulnerability assessments to identify similar weaknesses in the application's codebase. Furthermore, implementing principle of least privilege access controls and conducting regular security training for developers can help prevent similar vulnerabilities from being introduced in future application versions.