WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database.
PUBLISHED5.2CWE-79
WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter
Problem type
Affected products
Web-Ofisi
Ticaret V4
4.0 - AFFECTED
References
ExploitDB-45897
https://www.exploit-db.com/exploits/45897
Official Product Homepage
https://www.web-ofisi.com
Product Reference
https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing
VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter
https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter
JSON source
https://cveawg.mitre.org/api/cve/CVE-2018-25210Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2018-25210",
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"dateUpdated": "2026-03-26T11:39:56.394Z",
"dateReserved": "2026-03-26T11:34:53.935Z",
"datePublished": "2026-03-26T11:39:56.394Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck",
"dateUpdated": "2026-03-26T11:39:56.394Z"
},
"datePublic": "2018-11-21T00:00:00.000Z",
"title": "WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter",
"descriptions": [
{
"lang": "en",
"value": "WebOfisi E-Ticaret 4.0 contains an SQL injection vulnerability in the 'urun' GET parameter of the endpoint that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL payloads through the 'urun' parameter to execute boolean-based blind, error-based, time-based blind, and stacked query attacks against the backend database."
}
],
"affected": [
{
"vendor": "Web-Ofisi",
"product": "Ticaret V4",
"versions": [
{
"version": "4.0",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')",
"cweId": "CWE-79",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://www.exploit-db.com/exploits/45897",
"name": "ExploitDB-45897",
"tags": [
"exploit"
]
},
{
"url": "https://www.web-ofisi.com",
"name": "Official Product Homepage",
"tags": [
"product"
]
},
{
"url": "https://drive.google.com/file/d/1ZghFSsYto-Vpv3PXunx8xm2g-Gs3HJwz/view?usp=sharing",
"name": "Product Reference",
"tags": [
"product"
]
},
{
"url": "https://www.vulncheck.com/advisories/webofisi-e-ticaret-sql-injection-via-urun-parameter",
"name": "VulnCheck Advisory: WebOfisi E-Ticaret 4.0 SQL Injection via urun Parameter",
"tags": [
"third-party-advisory"
]
}
],
"metrics": [
{
"format": "CVSS"
},
{
"format": "CVSS",
"cvssV3_1": {
"version": "3.1",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"attackVector": "NETWORK",
"attackComplexity": "LOW",
"privilegesRequired": "NONE",
"userInteraction": "NONE",
"scope": "UNCHANGED",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH"
}
}
],
"credits": [
{
"lang": "en",
"value": "Özkan Mustafa Akkuş (AkkuS)",
"type": "finder"
}
]
}
}
}