CVE-2018-25392NVD

Vulnerability Summary

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.

Severity Level

HIGH(7.1)

Published Date

May 29, 2026

Last Modified

Jun 2, 2026

Exploitation Status

UNKNOWN

Root Weakness (CWE)

N/A

EPSS Score (30-Day)

0.03%Probability

CVSS v3.1 Base Metrics

Attack VectorNetwork

Attack ComplexityLow

Privileges RequiredLow

User InteractionNone

ScopeUnchanged

ConfidentialityHigh

IntegrityLow

AvailabilityNone

External References

https://www.exploit-db.com/exploits/45605
http://www.talagasoft.com
http://demo.maxonerp.com/
https://www.vulncheck.com/advisories/maxon-erp-software-8-x-9-x-sql-injection-via-nomor-parameter