Description
Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro parameter to extract sensitive database information including usernames, databases, and version details.
Published: 2026-06-01
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Paroiciel 11.20 contains a flaw that permits attackers with authentication to inject SQL statements through the zProIdPro parameter in requests to zpro.php. The injected statements enable the attacker to retrieve sensitive database contents such as usernames, database names and server versions. The weakness aligns with CWE‑89, illustrating improper input handling that leads to arbitrary SQL execution and potential data compromise.

Affected Systems

The vulnerability affects the Paroiciel application, version 11.20. Any deployment running this release is potentially susceptible; newer releases may address the issue, but the CVE references do not indicate a fix in later versions.

Risk and Exploitability

The CVSS score of 7.1 indicates a high impact when combined with the requirement of authenticated access. No EPSS information is available, but the presence of an exploit in Exploit‑DB suggests that attackers could leverage the flaw. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to be authenticated against the application and craft a GET request containing malicious SQL payloads targeting the zProIdPro parameter.

Generated by OpenCVE AI on June 1, 2026 at 22:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑provided security patch or upgrade to a Paroiciel version that removes the vulnerability.
  • Disallow or restrict unauthenticated access to zpro.php, ensuring only trusted users can hit the endpoint.
  • Enforce server‑side input validation on the zProIdPro parameter and use parameterized queries to eliminate the possibility of SQL injection.

Generated by OpenCVE AI on June 1, 2026 at 22:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
First Time appeared Paroiciel
Paroiciel paroiciel
Vendors & Products Paroiciel
Paroiciel paroiciel

Tue, 02 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 01 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Description Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the zProIdPro parameter. Attackers can send GET requests to zpro.php with crafted SQL payloads in the zProIdPro parameter to extract sensitive database information including usernames, databases, and version details.
Title Paroiciel 11.20 SQL Injection via zProIdPro Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Paroiciel Paroiciel
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-02T12:27:19.130Z

Reserved: 2026-05-31T12:59:41.276Z

Link: CVE-2018-25429

cve-icon Vulnrichment

Updated: 2026-06-02T12:27:15.975Z

cve-icon NVD

Status : Deferred

Published: 2026-06-01T22:16:16.157

Modified: 2026-06-02T14:43:49.920

Link: CVE-2018-25429

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T20:52:33Z

Weaknesses