{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25207", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:33:48.528Z", "datePublished": "2026-03-26T11:39:53.997Z", "dateUpdated": "2026-03-26T13:00:10.011Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:53.997Z"}, "datePublic": "2018-09-03T00:00:00.000Z", "title": "Online Quiz Maker 1.0 SQL Injection via catid Parameter", "descriptions": [{"lang": "en", "value": "Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Hscripts", "product": "Online Quiz Maker", "versions": [{"version": "1.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 7.1, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45323", "name": "ExploitDB-45323", "tags": ["exploit"]}, {"url": "https://www.hscripts.com/scripts/php/quiz-maker.php", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: Online Quiz Maker 1.0 SQL Injection via catid Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/online-quiz-maker-sql-injection-via-catid-parameter"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T12:57:49.714957Z", "id": "CVE-2018-25207", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:00:10.011Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2018-25207", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T12:57:49.714957Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T12:59:42.965Z"}}], "cna": {"title": "Online Quiz Maker 1.0 SQL Injection via catid Parameter", "credits": [{"lang": "en", "type": "finder", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "Hscripts", "product": "Online Quiz Maker", "versions": [{"status": "affected", "version": "1.0"}]}], "datePublic": "2018-09-03T00:00:00.000Z", "references": [{"url": "https://www.exploit-db.com/exploits/45323", "name": "ExploitDB-45323", "tags": ["exploit"]}, {"url": "https://www.hscripts.com/scripts/php/quiz-maker.php", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip", "name": "Product Reference", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/online-quiz-maker-sql-injection-via-catid-parameter", "name": "VulnCheck Advisory: Online Quiz Maker 1.0 SQL Injection via catid Parameter", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:53.997Z"}}}, "cveMetadata": {"cveId": "CVE-2018-25207", "state": "PUBLISHED", "dateUpdated": "2026-03-26T13:00:10.011Z", "dateReserved": "2026-03-26T11:33:48.528Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-26T11:39:53.997Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Online Quiz Maker 1.0 contains SQL injection vulnerabilities in the catid and usern parameters that allow authenticated attackers to execute arbitrary SQL commands. Attackers can submit malicious POST requests to quiz-system.php or add-category.php with crafted SQL payloads in POST parameters to extract sensitive database information or bypass authentication."}], "id": "CVE-2018-25207", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:05.847", "references": [{"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/45323"}, {"source": "disclosure@vulncheck.com", "url": "https://www.hscripts.com/scripts/php/downloads/quiz-maker.zip"}, {"source": "disclosure@vulncheck.com", "url": "https://www.hscripts.com/scripts/php/quiz-maker.php"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/online-quiz-maker-sql-injection-via-catid-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T13:22:01.814060+00:00", "value": {"mitigation_remediation": ["Verify that user authentication is required before processing catid or usern parameters.", "Replace vulnerable SQL query construction with parameterized statements or prepared statements to eliminate injection risk.", "Validate or sanitize all POST input values, ensuring they match expected formats and lengths.", "Restrict database user permissions to the minimum necessary privileges for the application.", "Apply any vendor\u2011released patch or updated version when it becomes available.", "Monitor application logs for anomalous SQL activity or repeated injection attempts."], "summary": {"action": "Apply Mitigation", "impact": "Unauthorized Data Access and Authentication Bypass"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Hscripts' Online Quiz Maker 1.0. No specific version extensions are noted beyond the base release, and no additional vendors are listed.", "description_and_impact": "Online Quiz Maker 1.0 includes SQL injection vulnerabilities in the catid and usern parameters that let authenticated attackers send crafted POST requests to quiz-system.php or add-category.php. By injecting malicious SQL, an attacker can read or modify the database, extract sensitive information, or bypass authentication controls. This can compromise confidentiality and integrity of the quiz content and user data.", "risk_and_exploitability": "The CVSS score of 7.1 indicates high impact, but the EPSS score is unavailable, making it unclear how frequently this flaw is exploited in the wild. The flaw is not listed in CISA\u2019s KEV catalog. The attack vector is web\u2011based; an attacker must be authenticated to the application and can submit malicious POST payloads. Given the lack of public exploitation and the need for authentication, the likelihood is moderate, but the potential damage if exploited is significant."}}}}, "created": "2026-03-26T13:54:43.582192+00:00", "updated": "2026-03-26T13:54:43.582287+00:00", "vendors": []}