CVE-2018-25209
Received Received - Intake
SQL Injection in OpenBiz Cubi Lite 3.0.8 Login Allows Data Theft

Publication date: 2026-03-26

Last updated on: 2026-03-26

Assigner: VulnCheck

Description
OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract sensitive database information or bypass authentication.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-26
Last Modified
2026-03-26
Generated
2026-06-16
AI Q&A
2026-03-26
EPSS Evaluated
2026-06-14
NVD
CVE-2018-25209
EUVD
EUVD-2018-21677
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
openbiz cubi_lite to 3.0.8 (exc)
openbiz cubi_lite 3.0.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in OpenBiz Cubi Lite 3.0.8 allows unauthenticated attackers to extract sensitive database information or bypass authentication controls.

Such unauthorized access to sensitive data can lead to violations of data protection regulations and standards like GDPR and HIPAA, which require the protection of personal and sensitive information from unauthorized access or disclosure.

Therefore, exploitation of this vulnerability could compromise compliance with these regulations by exposing sensitive data and failing to maintain adequate security controls.

Executive Summary

CVE-2018-25209 is a high-severity SQL injection vulnerability affecting OpenBiz Cubi Lite version 3.0.8 and earlier. It exists in the login form, specifically in the 'username' parameter, which is not properly sanitized. This allows unauthenticated attackers to inject malicious SQL code by sending specially crafted POST requests to the /bin/controller.php endpoint.

By exploiting this flaw, attackers can manipulate database queries to extract sensitive information or bypass authentication controls, potentially gaining unauthorized access to the system.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive database information and bypassing authentication mechanisms.

  • Attackers can extract sensitive data from the database.
  • Attackers can bypass login authentication, gaining unauthorized access.
  • Potential compromise of the application and underlying database system.
Detection Guidance

This SQL injection vulnerability can be detected by sending specially crafted POST requests to the endpoint /bin/controller.php with malicious SQL code in the username parameter.

A common detection method is to use time-based blind SQL injection payloads in the username field to observe delays in the server response, indicating successful injection.

  • Send a POST request with the username parameter set to a payload like: admin' AND SLEEP(5)-- JgaK
  • Example curl command to test the vulnerability:

curl -X POST 'http://target-site/bin/controller.php?F=RPCInvoke&P0=[user.form.LoginForm]&P1=[Login]&__this=btn_login:onclick&_thisView=user.view.LoginView&jsrs=1' -F "username=admin' AND SLEEP(5)-- JgaK" -F "password=any" -F "session_timeout=30" -F "current_language=en"

If the response is delayed by approximately 5 seconds, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

To mitigate the SQL injection vulnerability in OpenBiz Cubi Lite 3.0.8, immediate steps include restricting access to the vulnerable login endpoint, implementing input validation and sanitization on the username parameter, and monitoring for suspicious POST requests targeting /bin/controller.php.

Additionally, applying any available patches or updates from the vendor or upgrading to a non-vulnerable version is recommended. If patches are not available, consider deploying web application firewalls (WAF) rules to detect and block SQL injection attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25209. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart