Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Webiness Inventory 2.3: Unauthenticated SQL Injection Attack
CVE-2018-25188
Summary
An attacker can inject malicious code into Webiness Inventory 2.3's order parameter, potentially exposing sensitive database information. This can happen when a user submits a POST request to a specific endpoint. To fix this, update to a patched version of Webiness Inventory or apply a security patch.
Original title
Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attack...
Original description
Webiness Inventory 2.3 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the order parameter. Attackers can send POST requests to the WsModelGrid.php endpoint with crafted SQL payloads to extract sensitive database information including usernames, databases, and version details.
nvd CVSS3.1
8.2
nvd CVSS4.0
8.8
Vulnerability type
CWE-89
SQL Injection
Published: 6 Mar 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026