CVE-2018-25205

Received Received - Intake

SQL Injection in ASP.NET jVideo Kit 1.0 Search Endpoint

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: VulnCheck

Description

ASP.NET jVideo Kit 1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to inject SQL commands through the 'query' parameter in the search functionality. Attackers can submit malicious SQL payloads via GET or POST requests to the /search endpoint to extract sensitive database information using boolean-based blind or error-based techniques.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-26

Last Modified

2026-03-26

Generated

2026-06-16

AI Q&A

2026-03-26

EPSS Evaluated

2026-06-14

NVD

CVE-2018-25205

EUVD

EUVD-2018-21669

Affected Vendors & Products

Vendor	Product	Version / Range
mediasoft_pro	asp.net_jvideo_kit	to 1.0 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2018-25205 is a high-severity SQL injection vulnerability affecting ASP.NET jVideo Kit version 1.0 and earlier.

The vulnerability allows unauthenticated attackers to inject malicious SQL commands through the 'query' parameter in the search functionality, which can be accessed via GET or POST requests to the /search endpoint.

Attackers can exploit this flaw using boolean-based blind or error-based SQL injection techniques to extract sensitive information from the backend database.

Impact Analysis

This vulnerability can allow attackers to execute arbitrary SQL commands on the backend database without authentication.

As a result, attackers can extract sensitive database information, potentially leading to unauthorized data access or manipulation.

The impact includes a high confidentiality breach, while integrity impact is lower, and availability is not affected.

Detection Guidance

This SQL injection vulnerability can be detected by testing the 'query' parameter in the /search endpoint using specially crafted SQL payloads via GET or POST requests.

Use a GET request with a payload like: http://your-target.com/search?query=test%' AND 3923=3923 AND '%'=' to check for boolean-based blind SQL injection.
Use a POST request with payload: Query=test%' AND 3923=3923 AND '%'=' to test the same injection point.
Try error-based SQL injection payloads targeting Microsoft SQL Server, for example: query=test%' AND 1603 IN (SELECT (CHAR(113)+CHAR(107)+CHAR(113)+CHAR(122)+CHAR(113)+(SELECT (CASE WHEN (1603=1603) THEN CHAR(49) ELSE CHAR(48) END))+CHAR(113)+CHAR(122)+CHAR(122)+CHAR(113)+CHAR(113))) AND '%'='

Compliance Impact

The SQL injection vulnerability in ASP.NET jVideo Kit 1.0 allows unauthenticated attackers to extract sensitive information from the backend database. This unauthorized access to sensitive data can lead to violations of data protection regulations such as GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized disclosure.

By enabling attackers to access or manipulate sensitive data, this vulnerability undermines the confidentiality and integrity requirements mandated by these standards, potentially resulting in non-compliance and associated legal or financial penalties.

Mitigation Strategies

To mitigate the SQL injection vulnerability in ASP.NET jVideo Kit 1.0, immediate steps include:

Restrict or disable access to the /search endpoint until a fix is applied.
Implement input validation and sanitization on the 'query' parameter to prevent injection of malicious SQL commands.
Use parameterized queries or prepared statements in the backend code handling the search functionality.
Monitor and analyze logs for suspicious GET or POST requests targeting the 'query' parameter.
Apply any available patches or updates from the vendor or consider upgrading to a version without this vulnerability.

Hi! I’m here to help you understand CVE-2018-25205. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2018-25205

SQL Injection in ASP.NET jVideo Kit 1.0 Search Endpoint

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart