CVE-2018-25392— MaxOn ERP Software 8.x-9.x SQL Injection via nomor Parameter
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationAffected Version Matrix 2
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Talagasoft | MaxOn ERP | 8.0 | affected |
9.0 | affected |
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2018-25392
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
MaxOn ERP Software 8.x-9.x SQL Injection via nomor Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
SQL命令中使用的特殊元素转义处理不恰当(SQL注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Maxon ERP SQL注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Maxon ERP是Maxon ERP公司的一个 ERP 软件。 Maxon ERP Software 8.x版本至9.x版本存在SQL注入漏洞,该漏洞源于log_activity函数中nomor、user和jenis参数,可能导致经过身份验证的用户执行任意SQL查询,提取敏感数据库信息。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Talagasoft | MaxOn ERP | 8.0 | - |
II. Public POCs for CVE-2018-25392
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2018-25392
请登录查看更多情报信息。
Vendor Advisories for CVE-2018-25392 (1)
Exploits & Public PoCs for CVE-2018-25392 (1)
Vendor Pages for CVE-2018-25392 (1)
Other References for CVE-2018-25392 (1)
- http://demo.maxonerp.com/product
IV. Related Vulnerabilities
Same weakness: CWE-89
- CVE-2026-10620
code-projects Student Admission System index.php sql injecti - CVE-2026-5073
ARMember Premium <= 7.3.1 - Unauthenticated SQL Injection vi - CVE-2026-5074
ARMember Premium <= 7.3.1 - Authenticated (Subscriber+) SQL - CVE-2026-10608
DedeCMS carbuyaction.php RemoveXSS sql injection - CVE-2026-10607
DedeCMS flink.php dede_htmlspecialchars sql injection
V. Comments for CVE-2018-25392
No comments yet