CVE-2018-25192
Received Received - Intake
SQL Injection in GPS Tracking System 2.12 Enables Unauthorized Access

Publication date: 2026-03-06

Last updated on: 2026-03-06

Assigner: VulnCheck

Description
GPS Tracking System 2.12 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter. Attackers can submit crafted POST requests to the login.php endpoint with SQL injection payloads in the username field to gain unauthorized access without valid credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-06
Last Modified
2026-03-06
Generated
2026-06-16
AI Q&A
2026-03-06
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25192
EUVD
EUVD-2018-21645
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2018-25192 is an SQL injection vulnerability found in GPS Tracking System version 2.12 and earlier. It occurs in the username parameter of the login.php endpoint. An attacker can send specially crafted POST requests with malicious SQL code in the username field to bypass authentication.

This means that without valid credentials, an attacker can manipulate the SQL query executed by the application to gain unauthorized access to the system.

Impact Analysis

This vulnerability allows unauthenticated attackers to bypass the login process and gain unauthorized access to the GPS Tracking System.

Such unauthorized access can lead to exposure or manipulation of sensitive tracking data, compromise of user accounts, and potential further exploitation of the system.

Because the vulnerability has a high severity score (CVSS v4.0 score of 8.8), it represents a significant security risk if left unpatched.

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by sending crafted POST requests to the login.php endpoint with SQL injection payloads in the username parameter and observing if authentication is bypassed.'}, {'type': 'paragraph', 'content': 'For example, you can use the following curl command to test for the vulnerability:'}, {'type': 'list_item', 'content': 'curl -X POST -d "username=\'or 1=1 or \'\'=\'&password=" http://target/login.php -v'}, {'type': 'paragraph', 'content': 'If the response results in a successful login redirect (HTTP 302 Found) to index.php without valid credentials, the system is vulnerable.'}] [2]

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25192. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart