Description
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.
Published: 2026-05-29
Score: 7.1 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw exists in the log_activity function of MaxOn ERP Software 8.x-9.x, allowing an authenticated user to inject arbitrary SQL code via the nomor, user, and jenis parameters. By sending crafted POST requests to /index.php/user/log_activity, the attacker can retrieve sensitive database information such as the database name and version, potentially escalating to full data exfiltration. The weakness aligns with CWE-89 and represents a typical insider or authenticated threat vector.

Affected Systems

The vulnerability affects Talagasoft MaxOn ERP versions 8.x and 9.x. Organizations running these ERP editions are impacted.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate to high severity. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog, suggesting that while the risk is significant, it may not yet be actively exploited in the wild. The attack requires valid credentials to reach the vulnerable endpoint, so the primary exploitation path is an authenticated user commandeering the log_activity function.

Generated by OpenCVE AI on May 29, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update MaxOn ERP to the latest patch release from Talagasoft that fixes the SQL injection issue.
  • Restrict the /index.php/user/log_activity endpoint to users with the minimum required privileges and consider disabling it for roles that do not need logging.
  • Implement input validation and use parameterized queries for the nomor, user, and jenis parameters to prevent SQL injection.

Generated by OpenCVE AI on May 29, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 16:15:00 +0000

Type Values Removed Values Added
Description MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.
Title MaxOn ERP Software 8.x-9.x SQL Injection via nomor Parameter
First Time appeared Maxonerp
Maxonerp maxon
Weaknesses CWE-89
CPEs cpe:2.3:a:maxonerp:maxon:8.0:*:*:*:*:*:*:*
cpe:2.3:a:maxonerp:maxon:9.0:*:*:*:*:*:*:*
Vendors & Products Maxonerp
Maxonerp maxon
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Maxonerp Maxon
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-29T14:46:35.307Z

Reserved: 2026-05-29T11:28:57.397Z

Link: CVE-2018-25392

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-29T16:16:18.513

Modified: 2026-05-29T16:29:11.350

Link: CVE-2018-25392

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T18:00:05Z

Weaknesses