CVE-2018-25430

HIGH

Paroiciel 11.20 - Authenticated SQL Injection via eGeqIdEquipe Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-25430. PoCs published by Ihsan Sencan.

AI-analyzed exploit summary The exploit demonstrates SQL injection vulnerabilities in Paroiciel 11.20 via three distinct endpoints (`trec.php`, `zpro.php`, `egeq.php`). The payloads use UNION-based SQLi to extract database information, including table and column names, via crafted HTTP GET requests.

Description

Paroiciel 11.20 contains an SQL injection vulnerability that allows authenticated attackers to execute arbitrary SQL queries by injecting malicious code through the eGeqIdEquipe parameter. Attackers can send GET requests to the egeq.php endpoint with crafted SQL payloads to extract sensitive database information including version details and other data.

Exploits (1)

exploitdb WORKING POC
by Ihsan Sencan · textwebappsphp
https://www.exploit-db.com/exploits/45810

The exploit demonstrates SQL injection vulnerabilities in Paroiciel 11.20 via three distinct endpoints (`trec.php`, `zpro.php`, `egeq.php`). The payloads use UNION-based SQLi to extract database information, including table and column names, via crafted HTTP GET requests.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Paroiciel 11.20
Auth required
Prerequisites: valid session cookies (paroi6l_auth, PHPSESSID) · access to the target web application
devstral-2 · analyzed Jun 02, 2026 Full analysis →

References (4)

Core 4

Scores

CVSS v3 7.1
EPSS 0.0027
EPSS Percentile 18.8%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact partial

Details

CWE
CWE-89
Status published
Products (1)
Paroiciel/Paroiciel 11.20
Published Jun 01, 2026
Tracked Since Jun 02, 2026