{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2018-25209", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-26T11:34:46.382Z", "datePublished": "2026-03-26T11:39:55.703Z", "dateUpdated": "2026-03-26T11:39:55.703Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-26T11:39:55.703Z"}, "title": "OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter", "descriptions": [{"lang": "en", "value": "OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract sensitive database information or bypass authentication."}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "cweId": "CWE-89", "type": "CWE"}]}], "affected": [{"vendor": "Sourceforge", "product": "OpenBiz Cubi Lite", "versions": [{"version": "v3.0.8", "status": "affected"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "baseScore": 8.8, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS"}, {"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "format": "CVSS"}], "references": [{"url": "https://www.exploit-db.com/exploits/45801", "name": "ExploitDB-45801", "tags": ["exploit"]}, {"url": "https://sourceforge.net/projects/bigchef/", "name": "Official Product Homepage", "tags": ["product"]}, {"url": "https://sourceforge.net/projects/bigchef/files/latest/download", "name": "Product Reference", "tags": ["product"]}, {"name": "VulnCheck Advisory: OpenBiz Cubi Lite 3.0.8 SQL Injection via username Parameter", "tags": ["third-party-advisory"], "url": "https://www.vulncheck.com/advisories/openbiz-cubi-lite-sql-injection-via-username-parameter"}], "credits": [{"lang": "en", "value": "\u00d6zkan Mustafa Akku\u015f (AkkuS)", "type": "finder"}], "x_generator": {"engine": "vulncheck"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenBiz Cubi Lite 3.0.8 contains a SQL injection vulnerability in the login form that allows unauthenticated attackers to manipulate database queries through the username parameter. Attackers can submit POST requests to /bin/controller.php with malicious SQL code in the username field to extract sensitive database information or bypass authentication."}], "id": "CVE-2018-25209", "lastModified": "2026-03-26T15:13:15.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-26T12:16:06.257", "references": [{"source": "disclosure@vulncheck.com", "url": "https://sourceforge.net/projects/bigchef/"}, {"source": "disclosure@vulncheck.com", "url": "https://sourceforge.net/projects/bigchef/files/latest/download"}, {"source": "disclosure@vulncheck.com", "url": "https://www.exploit-db.com/exploits/45801"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/openbiz-cubi-lite-sql-injection-via-username-parameter"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-26T13:21:41.536457+00:00", "value": {"mitigation_remediation": ["Apply an available patch or upgrade to a newer OpenBiz Cubi Lite release that resolves the injection flaw.", "Restrict direct POST access to the controller endpoint by configuring a web\u2011application firewall or network firewall to allow traffic only from trusted IP ranges.", "Deploy a web\u2011application firewall rule that blocks suspicious SQL syntax in the username field.", "Continuously monitor authentication and database logs for anomalous activity.", "Verify with the SourceForge project page or vendor documentation that the affected version has been fixed before restoring normal access."], "summary": {"action": "Apply Patch", "impact": "Unauthenticated SQL Injection leading to data exposure or authentication bypass"}, "threat_synthesis": {"affected_systems": "This flaw affects Sourceforge's OpenBiz Cubi Lite product, specifically version 3.0.8. Only this version is known to be affected according to the available CNA data.", "description_and_impact": "The vulnerability resides in a login form that processes user input without proper sanitization. An unauthenticated attacker can submit a crafted POST request to the controller endpoint, inserting SQL commands in the username field. This flaw permits execution of arbitrary database queries, allowing the attacker to read, modify, or delete sensitive data, or to bypass authentication entirely. The weakness aligns with CWE\u201189, leading to potential loss of confidentiality and integrity of the application database.", "risk_and_exploitability": "The vulnerability is rated high with a CVSS score of 8.8, indicating a severe impact when exploited. Although EPSS data is unavailable, the absence from the KEV catalog does not mitigate the threat, as the flaw allows unauthenticated data access over the network. Attackers can exploit the flaw remotely via the public web interface, requiring no credentials. Due to the straightforward nature of the injection and the lack of authentication, the barrier to exploitation is low."}}}}, "created": "2026-03-26T13:54:41.548784+00:00", "updated": "2026-03-26T13:54:41.548811+00:00", "vendors": []}