Platform
aspnet
Component
asp-net-jvideo-kit
Fixed in
1.0.1
CVE-2018-25205 describes a SQL Injection vulnerability discovered in ASP.NET jVideo Kit versions 1.0. This flaw allows unauthenticated attackers to inject malicious SQL commands, potentially leading to unauthorized access and data exfiltration. The vulnerability resides within the search functionality, specifically the 'query' parameter of the /search endpoint. While a patch is not explicitly available, mitigation strategies can reduce the risk.
Successful exploitation of CVE-2018-25205 could allow an attacker to bypass authentication and directly query the underlying database. This could lead to the extraction of sensitive data such as user credentials, video metadata, or other stored information. Depending on the database schema and privileges, an attacker might even be able to modify or delete data, leading to denial of service or further compromise. The impact is amplified if the database contains personally identifiable information (PII) or other confidential data, potentially leading to regulatory compliance issues and reputational damage. This vulnerability shares similarities with other SQL injection flaws where attackers leverage blind injection techniques to extract data without immediate error feedback.
CVE-2018-25205 was publicly disclosed on March 26, 2026. There is no indication of this vulnerability being actively exploited in the wild at this time. No Proof-of-Concept (PoC) code has been publicly released. It is not listed on the CISA KEV catalog. The vulnerability's severity is rated as HIGH based on the CVSS score, indicating a significant potential impact if exploited.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
Given the lack of a direct patch, mitigation focuses on reducing the attack surface and detecting malicious activity. Implement robust input validation and sanitization on the 'query' parameter within the /search endpoint. Utilize parameterized queries or prepared statements to prevent SQL injection attacks. Deploy a Web Application Firewall (WAF) with rules specifically designed to detect and block SQL injection attempts targeting the /search endpoint. Regularly review and audit database access logs for suspicious activity. Consider restricting access to the database server itself to only authorized personnel and applications. After implementing these mitigations, verify their effectiveness by attempting to reproduce the vulnerability using a safe, controlled SQL injection payload.
Update to a patched version or implement security measures to prevent SQL injection. Validate and filter the 'query' parameter input before using it in SQL queries. Consider using parameterized queries or an ORM to prevent SQL injection.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2018-25205 is a SQL Injection vulnerability affecting ASP.NET jVideo Kit version 1.0, allowing attackers to inject SQL commands through the /search endpoint.
If you are using ASP.NET jVideo Kit version 1.0, you are potentially affected by this vulnerability. Assess your input validation practices and implement mitigations.
A direct patch is not available. Mitigate by implementing robust input validation, parameterized queries, and WAF rules.
There is currently no evidence of CVE-2018-25205 being actively exploited in the wild.
Due to the age and limited information about jVideo Kit, a dedicated advisory may not exist. Consult general ASP.NET security resources and vendor documentation.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.