{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25210", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:34:53.935Z", "datePublished": "2026-03-26T11:39:56.394Z", "dateUpdated": "2026-03-28T02:16:15.915Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:56.394Z"}, "datePublic": "2018-11-21T00:00:00.000Z", "title": "WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Web-Ofisi", "product": "Ticaret V4", "versions": [{"version": "4.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45897", "name": "ExploitDB-45897", "tags": ["exploit"]}, {"url": "https://www.web-ofisi.com", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-28T02:15:55.176135Z", "id": "CVE-2018-25210", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:16:15.915Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25210", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-28T02:15:55.176135Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-28T02:16:12.184Z"}}], "cna": {"title": "WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "credits": [{"lang": "en", "type": "finder", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.8, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Web-Ofisi", "product": "Ticaret V4", "versions": [{"status": "affected", "version": "4.0"}]}], "datePublic": "2018-11-21T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/45897", "name": "ExploitDB-45897", "tags": ["exploit"]}, {"url": "https://www.web-ofisi.com", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter", "name": "VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:56.394Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25210", "state": "PUBLISHED", "dateUpdated": "2026-03-28T02:16:15.915Z", "dateReserved": "2026-03-26T11:34:53.935Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-26T11:39:56.394Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:web-ofisi:e-ticaret:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5D70C89-2D66-4888-BF84-D25741E499D0", "versionEndIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}, {"lang": "es", "value": "WebOfisi E-Ticaret 4.0 contiene una vulnerabilidad de inyecci\u00f3n SQL en el par\u00e1metro GET 'urun' del endpoint que permite a atacantes no autenticados manipular consultas de la base de datos. Los atacantes pueden inyectar cargas \u00fatiles SQL a trav\u00e9s del par\u00e1metro 'urun' para ejecutar ataques de inyecci\u00f3n SQL ciegos basados en booleanos, basados en errores, ciegos basados en tiempo y de consultas apiladas contra la base de datos de backend."}], "id": "CVE-2018-25210", "lastModified": "2026-03-27T18:29:35.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:06.460", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Broken Link"], "url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45897"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.web-ofisi.com"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.0"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "Ticaret V4", "source": "cna", "vendor": "Web-Ofisi"}, "product": "ticaret", "vendor": "web-ofisi"}], "analysis": {"en": {"generated_at": "2026-03-27T20:25:32.396543+00:00", "value": {"mitigation_remediation": ["Apply any vendor\u2011released patch or update that addresses the SQL injection flaw on Web\u2011Ofisi E\u2011Ticaret 4.0.", "If a patch is not yet available, restrict unauthenticated access to the endpoint that accepts the \u2018urun\u2019 parameter, for example by implementing network or application firewall rules.", "Deploy a web application firewall configured to detect and block suspicious SQL injection patterns on the vulnerable endpoint.", "Review the application code to replace the vulnerable query construction with parameterized queries or prepared statements, thereby eliminating the injection surface."], "summary": {"action": "Immediate Patch", "impact": "Remote SQL injection allowing unauthenticated attackers to manipulate database queries"}, "threat_synthesis": {"affected_systems": "The vulnerability applies to Web\u2011Ofisi Ticaret V4, specifically the E\u2011Ticaret 4.0 web application. No specific version information is disclosed in the data.", "description_and_impact": "An unauthenticated attacker can inject arbitrary SQL through the web application\u2019s \u2018urun\u2019 GET parameter. The flaw supports boolean\u2011based blind, error\u2011based, time\u2011based blind, and stacked query attacks, potentially enabling the attacker to read, modify, or delete sensitive data stored in the backend database. Based on the description, it is inferred that these actions could expose customer information, disrupt transactions, and undermine business operations.", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, classifying it as high severity. Its EPSS score is below 1\u202f%, indicating a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The attack vector is remote, as the attack can be performed by sending an unauthenticated HTTP GET request to the vulnerable endpoint. The vulnerability can be exploited without requiring additional privileges or user interaction, making it relatively easy for attackers skilled in SQL injection."}}}}, "created": "2026-03-26T13:54:40.491016+00:00", "updated": "2026-03-29T20:27:55.553007+00:00", "vendors": ["web-ofisi", "web-ofisi$PRODUCT$ticaret"]}