CVE-2018-25187 PUBLISHED

Tina4 Stack 1.0.3 SQL Injection and Database File Download

Assigner: VulnCheck
Reserved: 06.03.2026 Published: 06.03.2026 Updated: 06.03.2026

Tina4 Stack 1.0.3 contains multiple vulnerabilities allowing unauthenticated attackers to access sensitive database files and execute SQL injection attacks. Attackers can directly request the kim.db database file to retrieve user credentials and password hashes, or inject SQL code through the menu endpoint to manipulate database queries.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N
CVSS Score: 8.8

Product Status

Vendor Tina4
Product Tina4 Stack
Versions
  • Version 1.0.3 is affected

Credits

  • Ihsan Sencan finder

References

Problem Types

  • Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE