Back

SQL Injection Vulnerabilities Discovered in Gate Pass Management System and Yot CMS

Severity: High (Score: 74.0)

Sources: cve.akaoma.com, www.incibe.es, vuldb.com, Feedly, vulners.com

Published: 2026-05-30 · Updated: 2026-05-31

Keywords: cve-2018-25424, injection, gate, pass, management, system, contains

Severity indicators: vulnerability, vulnerabilities, sql injection, credentials, CVE:CVE-2018-25424, CVE:CVE-2018-25424, CVE:CVE-2018-25424

Summary

Two critical SQL injection vulnerabilities have been identified in Gate Pass Management System 2.1 and Yot CMS 3.3.1, both published on 2026-05-30. CVE-2018-25424 allows unauthenticated attackers to bypass authentication via the login-exec.php endpoint, while CVE-2018-25425 enables attackers to execute arbitrary SQL queries through the aid and cid parameters of index.php. Both vulnerabilities can lead to unauthorized access and data extraction. No public proof-of-concept or evidence of exploitation has been reported yet. Security professionals are urged to implement patches and protective measures. The CVSS base score for both vulnerabilities is 8.2, indicating a high severity level. Immediate action is recommended to mitigate potential risks. Key Points: • CVE-2018-25424 and CVE-2018-25425 are critical SQL injection vulnerabilities. • Both vulnerabilities allow unauthenticated attackers to access sensitive data. • Patches are available for CVE-2018-25425; urgent action is recommended for both vulnerabilities.

Detailed Analysis

**Impact** Organizations using Gate Pass Management System 2.1 and Yot CMS 3.3.1 are affected globally, with no specific sectors or geographies identified. The vulnerabilities allow unauthenticated attackers to bypass authentication or extract sensitive database information, risking unauthorized access to applications and exposure of database structure details such as table and column names. The impact includes potential compromise of confidentiality and integrity, with a CVSS base score of 8.2 indicating severe risk. There is no current evidence of exploitation in the wild. **Technical Details** The attack vector involves unauthenticated SQL injection via HTTP requests: POST requests targeting the login and password parameters in Gate Pass Management System’s login-exec.php endpoint (CVE-2018-25424), and GET requests targeting the aid and cid parameters in Yot CMS’s index.php (CVE-2018-25425). The vulnerabilities allow attackers to bypass authentication or execute arbitrary SQL queries to extract database information. No malware or specific tools are mentioned. The vulnerabilities affect the initial access and execution stages of the kill chain. No IOCs are provided. **Recommended Response** Apply available patches immediately: upgrade Gate Pass Management System and Yot CMS to patched versions as per GitHub advisories. Implement parameterized queries or prepared statements and input validation for affected parameters. Deploy Web Application Firewalls (WAF) with SQL injection detection rules and consider rate limiting login attempts on Gate Pass Management System. Monitor for unusual login attempts and anomalous database queries targeting the specified parameters. No public proof-of-concept or exploitation evidence exists, but urgent mitigation is advised.

Source articles (10)

  • CVE-2018-25424 - Exploits & Severity — Feedly · 2026-05-30
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Gate Pass Management System 2.1 contains an SQL injection vulnerability in the login-exec.php endpoint. Un…
  • CVE-2018-25425 - Exploits & Severity — Feedly · 2026-05-30
    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89) Yot CMS 3.3.1 contains an SQL injection vulnerability in the aid and cid parameters of index.php. Unauthen…
  • CVE-2018-25424 INCIBE-CERT - Vulnerabilities RSS / 2h Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score) — www.incibe.es · 2026-05-30
    Puntuación base: 8.80 ALTA Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N Vector de acceso (AV): A través de red Complejidad de acceso (AC): Bajo Attack Requirements (AT): Nin…
  • CVE-2018-25424 AKAOMA CVE VULNERABILITIES / 6h Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application. — cve.akaoma.com · 2026-05-30
    8.2 /10 Severe Risk Cybersecurity professionals consider CVE-2018-25424 an immediate threat requiring urgent mitigation. Cybersecurity professionals consider CVE-2018-25424 an immediate threat requiri…
  • CVE-2018-25425 INCIBE-CERT - Vulnerabilities RSS / 4h Gravedad 3.1 (CVSS 3.1 Base Score) Gravedad 3.1 Txt Gravedad 3.1 (CVSS 3.1 Base Score) — www.incibe.es · 2026-05-31
    Puntuación base: 8.80 ALTA Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N Vector de acceso (AV): A través de red Complejidad de acceso (AC): Bajo Attack Requirements (AT): Nin…
  • CVE-2018-25425 AKAOMA CVE VULNERABILITIES / 8h Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names. — cve.akaoma.com · 2026-05-31
    8.2 /10 Severe Risk Cybersecurity professionals consider CVE-2018-25425 an immediate threat requiring urgent mitigation. Cybersecurity professionals consider CVE-2018-25425 an immediate threat requiri…
  • CVE-2018-25424 Vulners.com RSS Feed / 6h Gate Pass Management System 2.1 contains an SQL injection vulnerability that allows unauthenticated attackers to bypass authentication by injecting SQL code through the login and password parameters. Attackers can submit crafted POST requests to login-exec.php with SQL injection payloads in form parameters to authenticate without valid credentials and gain access to the application... — vulners.com · 2026-05-30
  • CVE-2018-25424 | Livebms Gate Pass Management System 2.1 POST login-exec.php sql injection (Exploit 45766) VulDB Recent Entries / 6h A vulnerability marked as critical has been reported in Livebms Gate Pass Management System 2.1 . This affects an unknown function of the file login-exec.php of the component POST Handler . This manipulation causes sql injection. This vulnerability is handled as CVE-2018-25424 . The attack can be initiated remotely. Additionally, an exploit exists. — vuldb.com · 2026-05-30
  • CVE-2018-25425 Vulners.com RSS Feed / 8h Yot CMS 3.3.1 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the aid and cid parameters. Attackers can send GET requests to index.php with crafted SQL payloads in the aid or cid parameters to extract database information including table and column names... — vulners.com · 2026-05-31
  • CVE-2018-25425 | Yot CMS 3.3.1 index.php aid/cid sql injection (Exploit 45768 / EUVD-2018-21947) VulDB Recent Entries / 8h A vulnerability was found in Yot CMS 3.3.1 . It has been classified as critical . Impacted is an unknown function of the file index.php . Performing a manipulation of the argument aid/cid results in sql injection. This vulnerability is cataloged as CVE-2018-25425 . It is possible to initiate the attack remotely. Furthermore, there is an exploit available. — vuldb.com · 2026-05-31

Timeline

  • 2026-05-30 — CVE-2018-25424 published: Gate Pass Management System 2.1 has an SQL injection vulnerability allowing unauthenticated access.
  • 2026-05-30 — CVE-2018-25425 published: Yot CMS 3.3.1 contains an SQL injection vulnerability enabling data extraction via crafted GET requests.
  • 2026-05-30 — Security advisories released: GitHub Advisories published patches for CVE-2018-25425; mitigation steps recommended for both vulnerabilities.
  • 2026-05-30 — INCIBE-CERT alerts issued: INCIBE-CERT confirmed the vulnerabilities and their high severity ratings, urging immediate action.
  • 2026-05-31 — Urgent mitigation recommended: Cybersecurity professionals classify both vulnerabilities as immediate threats requiring urgent mitigation actions.

CVEs

  • CVE-2018-25424
  • CVE-2018-25425

Related entities

  • Sql Injection (Attack Type)
  • Cwe-89 - SQL Injection (Cwe)
  • T1190 - Exploit Public-Facing Application (Mitre Attack)
  • 6h Gate Pass Management System 2.1 (Platform)
  • PHP (Platform)
  • Yot CMS (Platform)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed