Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
EdTv 2: Unauthenticated Access to Database Information via GET Request
CVE-2018-25171
Summary
Attackers can send a specially crafted GET request to EdTv 2's admin/edit_source endpoint and extract sensitive database information, including user credentials, without needing a login. This information could be used to gain further access to the system. Update EdTv 2 to prevent this type of attack.
Original title
EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET ...
Original description
EdTv 2 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'id' parameter. Attackers can send GET requests to the admin/edit_source endpoint with crafted SQL UNION statements to extract database information including schema names, user credentials, and version details.
nvd CVSS3.1
8.2
nvd CVSS4.0
8.8
Vulnerability type
CWE-434
Unrestricted File Upload
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026