CVE-2018-25210

CVE-2018-25210 is an SQL injection vulnerability in WebOfisi E-Ticaret 4.0, specifically in the 'urun' GET parameter of the affected endpoint. This flaw allows unauthenticated attackers to inject SQL payloads, enabling manipulation of backend database queries through techniques such as boolean-based blind, error-based, time-based blind, and stacked query attacks. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N) and is associated with CWE-79.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity and no user interaction required. Successful exploitation grants high-impact access to confidential data via query manipulation, with low integrity impact but no availability disruption, potentially allowing extraction of sensitive information from the database.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter), an Exploit-DB entry (https://www.exploit-db.com/exploits/45897), a proof-of-concept file (https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing), and the vendor site (https://www.web-ofisi.com), provide details on the issue, though specific patch or mitigation instructions are outlined in those resources.