CVE-2018-25201
Published: 26 March 2026
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2018-25201 is an SQL injection vulnerability (CWE-89) affecting School Management System CMS 1.0, specifically in the admin login functionality. The flaw exists in the processlogin endpoint, where attackers can inject SQL code through the username parameter using boolean-based blind SQL injection techniques. This allows authentication bypass without valid credentials, earning a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).
Attackers can exploit this vulnerability remotely over the network with low complexity and low privileges required. By submitting malicious payloads to the username field during admin login attempts, they can authenticate as an administrator, potentially gaining high-level confidentiality access to sensitive data and limited integrity modifications, while availability remains unaffected.
Advisories and further details on mitigation are available in referenced sources, including Exploit-DB (exploit 44727) and VulnCheck's advisory on the School Management System CMS admin login SQL injection. The WeCodex page provides additional context on the affected PHP/MySQL-based system. No specific patches are detailed in the provided information.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The SQL injection vulnerability in the admin login of a public-facing web application directly enables exploitation of a public-facing application for authentication bypass and unauthorized access.