CVE-2018-25401
Deferred Deferred - Pending Action
SQL Injection in Open ISES Project via p1 Parameter

Publication date: 2026-05-29

Last updated on: 2026-05-29

Assigner: VulnCheck

Description
The Open ISES Project 3.30A contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the p1 parameter. Attackers can send GET requests to sever_graph.php with crafted SQL payloads to extract sensitive database information including schema names and other data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-29
Last Modified
2026-05-29
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2018-25401
EUVD
EUVD-2018-21923
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
open_ises_project open_ises_project 3.30A
open_ises_project open_ises_project 3.30
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Open ISES Project version 3.30A contains a high-severity SQL injection vulnerability in the sever_graph.php file. This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through the p1 parameter.

Attackers can exploit this flaw by sending crafted GET requests to sever_graph.php, which can lead to extraction of sensitive database information such as schema names and other data.

Impact Analysis

This vulnerability can have significant impacts as it allows attackers to access sensitive database information without authentication.

  • Attackers can extract database schema names and other sensitive data.
  • The vulnerability has a high CVSS score (8.8), indicating a serious risk to confidentiality.
  • It can lead to unauthorized data disclosure and potential further exploitation of the system.
Detection Guidance

This vulnerability can be detected by monitoring for suspicious GET requests to the sever_graph.php file that include the p1 parameter with potentially malicious SQL payloads.

A practical approach is to inspect web server logs for requests matching the pattern: sever_graph.php?p1= followed by SQL injection attempts.

  • Use command-line tools like grep to search logs for suspicious requests, for example: grep "sever_graph.php?p1=" /var/log/apache2/access.log
  • Use curl or wget to test the endpoint with crafted SQL payloads to verify if the system is vulnerable.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering access to sever_graph.php to prevent unauthenticated requests with malicious p1 parameters.

Implement input validation and parameterized queries in the application code to prevent SQL injection.

If possible, apply any available patches or updates from the Open ISES Project that address this vulnerability.

Monitor logs for suspicious activity and consider temporarily disabling the affected functionality if it is not critical.

Compliance Impact

The SQL injection vulnerability in Open ISES Project 3.30A allows attackers to extract sensitive database information, which could include personal or protected data.

Such unauthorized access and potential data exposure can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive information against unauthorized access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25401. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart