CVE-2018-25176
Received Received - Intake
SQL Injection and File Upload Flaws in Alive Parish

Publication date: 2026-03-06

Last updated on: 2026-03-06

Assigner: VulnCheck

Description
Alive Parish 2.0.4 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the key parameter in the search endpoint. Attackers can also upload arbitrary files via the person photo upload functionality to the images/uploaded directory for remote code execution.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25176
EUVD
EUVD-2018-21631
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alive_parish alive_parish to 2.0.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can have severe impacts including unauthorized access to sensitive database information through SQL injection.

Attackers can execute arbitrary SQL queries, potentially extracting or manipulating data.

The arbitrary file upload vulnerability can allow attackers to upload malicious files, which may lead to remote code execution on the server, compromising the entire system.

Compliance Impact

I don't know

Executive Summary

[{'type': 'paragraph', 'content': 'CVE-2018-25176 affects Alive Parish version 2.0.4 and involves two critical security issues: an SQL injection vulnerability and an arbitrary file upload vulnerability.'}, {'type': 'paragraph', 'content': 'The SQL injection vulnerability allows unauthenticated attackers to inject malicious SQL code through the "key" parameter in the search endpoint, enabling them to execute arbitrary SQL queries on the database.'}, {'type': 'paragraph', 'content': 'The arbitrary file upload vulnerability exists in the person photo upload functionality, where attackers can upload arbitrary files to the images/uploaded directory without proper validation, potentially leading to remote code execution.'}] [1, 2]

Detection Guidance

[{'type': 'paragraph', 'content': 'The SQL injection vulnerability can be detected by sending crafted HTTP GET requests to the search endpoint with malicious SQL payloads in the key parameter and observing the server response for errors such as HTTP 500 Internal Server Error.'}, {'type': 'list_item', 'content': 'Send a request like: curl "http://localhost/[PATH]/parish/search?key=\' OR (SELECT 1 FROM (SELECT COUNT(*),CONCAT((SELECT database()),0x3a,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- -"'}, {'type': 'paragraph', 'content': 'For the arbitrary file upload vulnerability, detection involves attempting to upload a test file via the photo upload endpoint and verifying if the file is stored in the images/uploaded directory.'}, {'type': 'list_item', 'content': 'Use a command like: curl -F "People[raw_photo][email protected]" http://localhost/[PATH]/person/photo/1 -v and then check if http://localhost/[PATH]/images/uploaded/testfile.php is accessible.'}] [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable search and file upload endpoints to prevent exploitation.

Implement input validation and parameterized queries to prevent SQL injection attacks on the search functionality.

Restrict or disable the file upload feature, or enforce strict validation on uploaded files to prevent arbitrary file uploads and potential remote code execution.

Monitor web server logs for suspicious requests targeting the key parameter or file upload endpoints.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart