CVE-2018-25392
Deferred Deferred - Pending Action
SQL Injection in MaxOn ERP Software

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulnCheck

Description
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2018-25392
EUVD
EUVD-2018-21914
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
talagasoft maxon_erp_software to 8.0|start_including=9.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL injection vulnerability in MaxOn ERP Software allows attackers to extract sensitive database information, which could include personal or confidential data. Such unauthorized data access and potential data breaches can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Because the vulnerability enables attackers to execute arbitrary SQL queries and extract sensitive information, organizations using affected versions of MaxOn ERP Software may face increased risk of data exposure, potentially violating compliance requirements for data confidentiality and integrity.

Executive Summary

CVE-2018-25392 is an SQL injection vulnerability in MaxOn ERP Software versions 8.x to 9.x. It allows authenticated users to execute arbitrary SQL commands by injecting malicious SQL code into the 'nomor', 'user', and 'jenis' parameters of the log_activity function. Attackers exploit this by sending specially crafted POST requests to the /index.php/user/log_activity endpoint.

This vulnerability arises from improper neutralization of special elements in SQL commands, which means the software does not properly sanitize user input before including it in SQL queries.

Impact Analysis

This vulnerability can have a significant impact as it allows attackers to extract sensitive database information such as database version and database names. This unauthorized access can lead to data leakage and potentially further exploitation of the system.

Since the vulnerability allows execution of arbitrary SQL commands, it could be used to manipulate or access data without proper authorization, compromising the confidentiality and integrity of the database.

Detection Guidance

This vulnerability can be detected by monitoring for malicious POST requests sent to the /index.php/user/log_activity endpoint containing SQL injection payloads in the 'nomor', 'user', or 'jenis' parameters.

A practical detection method involves sending crafted POST requests with SQL injection test payloads to these parameters and observing the server response for errors such as HTTP 500 Internal Server Error, which may indicate successful SQL injection execution.

Example command using curl to test for the vulnerability:

  • curl -X POST -d "nomor=1' OR '1'='1&user=test&jenis=test" http://[target]/index.php/user/log_activity -v

If the server responds with an error or unexpected behavior, it may confirm the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable endpoint to only trusted authenticated users and implementing input validation and sanitization on the 'nomor', 'user', and 'jenis' parameters to prevent SQL injection.

Additionally, monitoring and blocking suspicious POST requests targeting /index.php/user/log_activity can reduce exploitation risk.

Applying any available patches or updates from the vendor that address this vulnerability is strongly recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25392. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart