Description
eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extract sensitive database information from the INFORMATION_SCHEMA tables.
Published: 2026-03-24
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Immediate Patch
AI Analysis

Impact

This vulnerability is an SQL injection flaw in eNdonesia Portal version 8.7, located in banners.php. An unauthenticated attacker can supply a crafted bid value in a GET request, causing the server to execute arbitrary SQL statements. By directing the query to the INFORMATION_SCHEMA tables, attackers can retrieve sensitive database information. The weakness conforms to CWE‑89.

Affected Systems

The only identified affected product is eNdonesia Portal v8.7 from the vendor eNdonesia. No other versions or platform details are listed in this CVE entry.

Risk and Exploitability

The flaw carries a high CVSS score of 8.8, indicating substantial impact. Exploitation requires only network access to the web server and no authentication, making it easily reachable by anonymous attackers. EPSS data is not available and the vulnerability is not listed in the CISA KEV catalog, yet its severity suggests it could be actively exploited. Attackers can trigger it through a standard HTTP GET request to banners.php with a malicious bid parameter.

Generated by OpenCVE AI on March 24, 2026 at 12:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's security patch or upgrade to a non‑vulnerable eNdonesia Portal release.
  • If a patch is unavailable, restrict external access to the banners.php endpoint or block the bid parameter using firewall or WAF rules to eliminate the injection point.
  • Ensure that the application validates or sanitizes user input before incorporating it into SQL statements.
  • Monitor web server logs for suspicious bid parameter activity and investigate any anomalies.

Generated by OpenCVE AI on March 24, 2026 at 12:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Endonesia
Endonesia endonesia
Vendors & Products Endonesia
Endonesia endonesia

Tue, 24 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description eNdonesia Portal v8.7 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the bid parameter. Attackers can send GET requests to banners.php with crafted SQL payloads in the bid parameter to extract sensitive database information from the INFORMATION_SCHEMA tables.
Title eNdonesia Portal v8.7 SQL Injection via banners.php
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Endonesia Endonesia
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-24T13:24:38.649Z

Reserved: 2026-03-24T11:05:50.789Z

Link: CVE-2019-25643

cve-icon Vulnrichment

Updated: 2026-03-24T13:24:34.688Z

cve-icon NVD

Status : Deferred

Published: 2026-03-24T12:16:06.640

Modified: 2026-04-15T15:00:32.790

Link: CVE-2019-25643

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T20:39:28Z

Weaknesses