Description
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is a classic SQL injection flaw in the eNdonesia Portal 8.7 application. The flaw allows an unauthenticated attacker to inject malicious SQL code through five distinct parameters—artid, cid, did, contid, and aboutid—in the mod.php file. By manipulating these inputs, an attacker can execute arbitrary queries against the underlying database, retrieving sensitive information such as usernames, database names, and version details. The impact is primarily the compromise of confidentiality and the potential for further exploitation if the attacker can gain more privileged access.

Affected Systems

The affected product is eNdonesia Portal 8.7, distributed by the Endonesia organization. No specific patch or upgrade version is publicly listed; affected installations process requests via mod.php without proper sanitization. Any deployment of this version that exposes mod.php to the internet is at risk.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, and the lack of a KEV listing suggests it is not currently exploited in the wild, but the flaw remains trivially exploitable due to the absence of authentication and the use of unsanitized parameters. The attacker can simply send crafted HTTP requests to the vulnerable endpoints. Without a patch, the risk is ongoing and the attack surface remains fully exposed.

Generated by OpenCVE AI on May 30, 2026 at 16:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade eNdonesia Portal to a newer, patched version once a fix is released by the vendor.
  • If no patch is available, modify the mod.php script to use parameterized queries or stored procedures, ensuring that all user input is properly sanitized or escaped before concatenation into SQL statements.
  • Apply network-level controls such as firewall rules or intrusion detection systems to filter suspicious SQL injection payloads targeting the mod.php parameters.
  • Limit the exposure of mod.php by restricting access to trusted internal networks or by removing the file from the web root if it is not required.

Generated by OpenCVE AI on May 30, 2026 at 16:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Endonesia
Endonesia endonesia
Vendors & Products Endonesia
Endonesia endonesia

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters to extract sensitive database information including usernames, database names, and version details.
Title eNdonesia Portal 8.7 SQL Injection via mod.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Endonesia Endonesia
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:12.948Z

Reserved: 2026-05-30T12:17:12.931Z

Link: CVE-2018-25405

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:16:55.650

Modified: 2026-05-30T16:16:55.650

Link: CVE-2018-25405

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T20:45:05Z

Weaknesses