{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25210", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:34:53.935Z", "datePublished": "2026-03-26T11:39:56.394Z", "dateUpdated": "2026-03-26T11:39:56.394Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:56.394Z"}, "datePublic": "2018-11-21T00:00:00.000Z", "title": "WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "affected": [{"vendor": "Web-Ofisi", "product": "Ticaret V4", "versions": [{"version": "4.0", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45897", "name": "ExploitDB-45897", "tags": ["exploit"]}, {"url": "https://www.web-ofisi.com", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:web-ofisi:e-ticaret:*:*:*:*:*:*:*:*", "matchCriteriaId": "D5D70C89-2D66-4888-BF84-D25741E499D0", "versionEndIncluding": "4.0.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."}, {"lang": "es", "value": "WebOfisi E-Ticaret 4.0 contiene una vulnerabilidad de inyecci\u00f3n SQL en el par\u00e1metro GET 'urun' del endpoint que permite a atacantes no autenticados manipular consultas de la base de datos. Los atacantes pueden inyectar cargas \u00fatiles SQL a trav\u00e9s del par\u00e1metro 'urun' para ejecutar ataques de inyecci\u00f3n SQL ciegos basados en booleanos, basados en errores, ciegos basados en tiempo y de consultas apiladas contra la base de datos de backend."}], "id": "CVE-2018-25210", "lastModified": "2026-03-27T18:29:35.243", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:06.460", "references": [{"source": "disclosure@vulncheck.com", "tags": ["Broken Link"], "url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing"}, {"source": "disclosure@vulncheck.com", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"], "url": "https://www.exploit-db.com/exploits/45897"}, {"source": "disclosure@vulncheck.com", "tags": ["Third Party Advisory"], "url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter"}, {"source": "disclosure@vulncheck.com", "tags": ["Product"], "url": "https://www.web-ofisi.com"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "4.0"}}], "enrichment": {"confidence": 92.0, "confidence_source": "matching", "scores": [{"score": 92.0, "source": "matching"}]}, "original": {"product": "Ticaret V4", "source": "cna", "vendor": "Web-Ofisi"}, "product": "ticaret", "vendor": "web-ofisi"}], "analysis": {"en": {"generated_at": "2026-03-26T13:21:29.340042+00:00", "value": {"mitigation_remediation": ["Contact Web\u2011Ofisi for a patch or fix", "Disable direct manipulation of the 'urun' parameter by enforcing strict input validation", "Apply web application firewall rules to block suspicious SQL patterns", "If no patch is available, temporarily harden the application by removing the vulnerable endpoint or restricting access"], "summary": {"action": "Apply Patch", "impact": "Database Compromise"}, "threat_synthesis": {"affected_systems": "The affected product is Web\u2011Ofisi E\u2011Ticaret V4, a web\u2011based e\u2011commerce platform. No specific version range is listed beyond V4, so all instances of that edition are potentially vulnerable.", "description_and_impact": "The vulnerability is an unauthenticated SQL injection in the 'urun' GET parameter of Web\u2011Ofisi E\u2011Ticaret 4.0. Attackers can inject malicious SQL, allowing boolean\u2011based blind, error\u2011based, time\u2011based blind, and stacked query attacks against the backend database. This can enable unauthorized data retrieval, modification, or deletion, potentially exposing sensitive information or compromising the integrity of the shop\u2019s database.", "risk_and_exploitability": "The CVSS score of 8.8 indicates a high severity. The exploit probability metric is missing, but the lack of a KEV listing suggests no publicly known exploitation yet. The flaw is reachable through the public web interface without authentication, implying a high likelihood of exploitation. Attackers can leverage this to extract sensitive data or alter the database, leading to significant information disclosure or integrity compromise."}}}}, "created": "2026-03-26T13:54:40.491016+00:00", "updated": "2026-03-27T08:36:00.974665+00:00", "vendors": ["web-ofisi", "web-ofisi$PRODUCT$ticaret"]}