CVE-2018-25128

Description

SOCA Access Control System 180612 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through unvalidated POST parameters. Attackers can bypass authentication, retrieve password hashes, and gain administrative access with full system privileges by exploiting injection flaws in Login.php and Card_Edit_GetJson.php.

PUBLISHED Reserved 2025-12-24 | Published 2025-12-24 | Updated 2025-12-24 | Assigner VulnCheck

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Credits

LiquidWorm as Gjoko Krstic of Zero Science Lab finder

References

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5519.php exploit

www.exploit-db.com/exploits/46833 (ExploitDB-46833) exploit

www.socatech.com (SOCA Technology Product Homepage) product

www.zeroscience.mk/en/vulnerabilities/ZSL-2019-5519.php (Zero Science Lab Disclosure (ZSL-2019-5519)) third-party-advisory

cve.org (CVE-2018-25128)

nvd.nist.gov (CVE-2018-25128)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.