{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25210", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:34:53.935Z", "datePublished": "2026-03-26T11:39:56.394Z", "dateUpdated": "2026-03-26T11:39:56.394Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:56.394Z"}, "datePublic": "2018-11-21T00:00:00.000Z", "title": "WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Web-Ofisi", "product": "Ticaret V4", "versions": [{"version": "4.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45897", "name": "ExploitDB-45897", "tags": ["exploit"]}, {"url": "https://www.web-ofisi.com", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}], "id": "CVE-2018-25210", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:06.460", "references": [{"source": "disclosure@vulncheck.com", "url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/45897"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter"}, {"source": "disclosure@vulncheck.com", "url": "https://www.web-ofisi.com"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T13:21:29.340042+00:00", "value": {"mitigation_remediation": ["Contact Web\u2011Ofisi for a patch or fix", "Disable direct manipulation of the 'urun' parameter by enforcing strict input validation", "Apply web application firewall rules to block suspicious SQL patterns", "If no patch is available, temporarily harden the application by removing the vulnerable endpoint or restricting access"], "summary": {"action": "Apply Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "The affected product is Web\u2011Ofisi E\u2011Ticaret V4, a web\u2011based e\u2011commerce platform. No specific version range is listed beyond V4, so all instances of that edition are potentially vulnerable.", "description_and_impact": "The vulnerability is an unauthenticated SQL injection in the 'urun' GET parameter of Web\u2011Ofisi E\u2011Ticaret 4.0. Attackers can inject malicious SQL, allowing boolean\u2011based blind, error\u2011based, time\u2011based blind, and stacked query attacks against the backend database. This can enable unauthorized data retrieval, modification, or deletion, potentially exposing sensitive information or compromising the integrity of the shop\u2019s database.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. The exploit probability metric is missing, but the lack of a KEV listing suggests no publicly known exploitation yet. The flaw is reachable through the public web interface without authentication, implying a high likelihood of exploitation. Attackers can leverage this to extract sensitive data or alter the database, leading to significant information disclosure or integrity compromise."}}}}, "created": "2026-03-26T13:54:40.491016+00:00", "updated": "2026-03-26T13:54:40.491038+00:00", "vendors": []}