CVE-2018-25392 HIGH

CVE-2018-25392: MaxOn ERP Software 8.x-9.x SQL Injection via nomor Parameter

Vendor Talagasoft
Product MaxOn ERP
Weakness CWE-89 · SQLi
Published May 29, 2026
Last update June 2, 2026

CVSS base score

7.1/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

MaxOn ERP Software 8.x-9.x contains an SQL injection vulnerability that allows authenticated users to execute arbitrary SQL queries through the nomor, user, and jenis parameters in the log_activity function. Attackers can send POST requests to /index.php/user/log_activity with malicious SQL code in these parameters to extract sensitive database information including version and database names.

Key dates

02Disclosure timeline

May 29, 2026 CVE published
June 2, 2026 Record updated