Description
eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details.
Published: 2026-05-30
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The eNdonesia Portal 8.7 has multiple SQL injection flaws in the mod.php script that allow unauthenticated users to craft malicious input. By inserting SQL code into the artid, cid, did, contid, and aboutid parameters across several modules, an attacker can run arbitrary queries against the database. This capability permits extraction of sensitive information such as usernames, database names, and server version details, compromising confidentiality and potentially integrity if the injected queries modify the data.

Affected Systems

Endonesia’s eNdonesia Portal version 8.7 is vulnerable. The flaw resides in the publicly accessible mod.php endpoint, affecting the publisher, diskusi, galeri, content, and about modules via the listed parameters.

Risk and Exploitability

With a CVSS vector of 8.8, the flaw is considered high severity. Because the EPSS score is not available, the precise exploitation probability is unknown; however, the vulnerability is publicly documented in Exploit‑DB and is not in the CISA KEV catalog. The attack vector is clear: unauthenticated HTTP requests to mod.php with crafted parameter values. The impact extends to all users of the portal and compromises data stored in the database.

Generated by OpenCVE AI on May 30, 2026 at 16:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Acquire and install the latest vendor patch for eNdonesia Portal 8.7 or upgrade to a confirmed secure version once it becomes available
  • Implement strict input validation and adopt parameterized queries in the application logic to prevent arbitrary SQL execution
  • Deploy a web application firewall or equivalent intrusion prevention system to identify and block suspicious SQL injection traffic on the mod.php endpoint

Generated by OpenCVE AI on May 30, 2026 at 16:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Endonesia
Endonesia endonesia
Vendors & Products Endonesia
Endonesia endonesia

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description eNdonesia Portal 8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through parameters in mod.php. Attackers can inject SQL through the artid, cid, did, contid, and aboutid parameters across publisher, diskusi, galeri, content, and about modules to extract database information including usernames, database names, and version details.
Title eNdonesia Portal 8.7 SQL Injection via mod.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Endonesia Endonesia
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-30T14:55:14.886Z

Reserved: 2026-05-30T12:21:10.616Z

Link: CVE-2018-25407

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-30T16:17:01.303

Modified: 2026-05-30T16:17:01.303

Link: CVE-2018-25407

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T20:45:05Z

Weaknesses