Description
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

eNdonesia Portal 8.7 has multiple SQL Injection flaws in the mod.php file that let attackers inject malicious SQL through the artid, cid, did, contid, and aboutid parameters. The flaw allows unauthenticated users to run arbitrary queries and retrieve sensitive information such as database credentials, usernames, and software version details. This type of vulnerability aligns with CWE‑89 and directly threatens the confidentiality of the database contents.

Affected Systems

The vulnerability affects Endonesia eNdonesia Portal version 8.7. No other versions are listed as impacted, and there is no indication that earlier releases are affected.

Risk and Exploitability

The CVSS score of 8.8 marks it as a high‑severity issue, and while no EPSS value is provided, the absence of a KEV listing does not reduce the inherent risk. The flaw is exploitable over the web; an attacker only needs to access the mod.php endpoint and can send the malicious payload without authentication. Given the ease of exploitation and the potential to harvest credentials, the risk to any deployed instance of the portal is significant.

Generated by OpenCVE AI on May 30, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download the latest Endonesia Portal release from the vendor and install it, which contains the fix for the SQL injection vulnerabilities.
  • Configure the web server to deny unauthenticated access to mod.php and any other exposed modules that accept the vulnerable parameters. If patching is not immediately possible, remove or rename the mod.php script to prevent direct access.
  • Deploy a Web Application Firewall with SQL injection rules targeting the mod.php endpoints to block known exploitation patterns.

Generated by OpenCVE AI on May 30, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Endonesia
Endonesia endonesia
Vendors & Products Endonesia
Endonesia endonesia

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database credentials, usernames, and version information.
Title eNdonesia Portal 8.7 SQL Injection via mod.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Endonesia Endonesia
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:14.125Z

Reserved: 2026-05-30T12:17:18.007Z

Link: CVE-2018-25406

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:00.303

Modified: 2026-05-30T16:17:00.303

Link: CVE-2018-25406

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T20:45:05Z

Weaknesses