Plattform
php
Komponente
online-store-system-cms
Behoben in
1.0.1
CVE-2018-25203 describes a SQL injection vulnerability discovered in Online Store System CMS versions 1.0 through 1.0. This flaw allows unauthenticated attackers to manipulate database queries, potentially leading to data breaches and system compromise. The vulnerability is triggered through the 'email' parameter in the 'index.php' file. A patch is required to remediate this issue.
An attacker exploiting CVE-2018-25203 can leverage the SQL injection vulnerability to extract sensitive information stored within the Online Store System CMS database. This includes customer data (names, addresses, payment details), product information, and potentially administrative credentials. Successful exploitation could lead to complete data compromise, allowing attackers to modify data, create fraudulent accounts, or even gain control of the entire system. The attack vector involves crafting malicious POST requests to index.php, injecting SQL payloads within the 'email' parameter. The blind SQL injection technique employed allows attackers to extract data without triggering immediate error messages, making detection more challenging.
CVE-2018-25203 has been published on 2026-03-26. Exploitation probability is currently unknown. Public proof-of-concept (POC) code may exist or emerge, increasing the risk of exploitation. Review the NVD and CISA advisories for updates and potential indicators of compromise (IOCs).
Organizations utilizing Online Store System CMS version 1.0, particularly those with sensitive customer data or financial information, are at significant risk. Shared hosting environments where multiple websites share the same server instance are also vulnerable, as a compromise of one website could potentially impact others.
• php / web:
grep -r "email parameter" /var/www/html/index.php• generic web:
curl -X POST -d "action=clientaccess&email=test' OR '1'='1" http://your-website.com/index.php | grep -i "error"Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2018-25203 is to upgrade to a patched version of Online Store System CMS. If upgrading is not immediately feasible, implement temporary workarounds. These include strict input validation on the 'email' parameter, ensuring all user-supplied input is properly sanitized before being used in SQL queries. Employing parameterized queries or prepared statements is crucial to prevent SQL injection. Consider implementing a Web Application Firewall (WAF) with rules to detect and block SQL injection attempts targeting the 'email' parameter. Monitor database logs for suspicious activity and unusual query patterns.
Actualizar a una versión parcheada o aplicar las medidas de seguridad recomendadas por el proveedor. En caso de no haber una versión parcheada, se recomienda deshabilitar la funcionalidad vulnerable o aplicar un filtro de entrada para evitar la inyección SQL.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2018-25203 is a SQL injection vulnerability affecting Online Store System CMS versions 1.0–1.0, allowing attackers to manipulate database queries through the email parameter.
If you are using Online Store System CMS version 1.0, you are potentially affected and should upgrade to a patched version or implement immediate workarounds.
The recommended fix is to upgrade to a patched version of Online Store System CMS. Contact the vendor for the latest secure release and implement input validation as a temporary workaround.
There is currently no evidence of CVE-2018-25203 being actively exploited in the wild.
Please consult the vendor's official website or security advisory channels for the most up-to-date information regarding CVE-2018-25203.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.