PitchHut logo
Log in / Sign up
CVE-2025-10878-AdminPandov1.0.1-SQLi
by
onurcangnc
Proof of Concept for SQL Injection in AdminPando v1.0.1
Preview url
Visit project
Pitch

This project details a critical SQL injection vulnerability in AdminPando v1.0.1 that allows attackers to bypass authentication and gain administrative access. By exploiting this flaw, unauthorized users can manipulate the website's public content, posing significant security risks. The project includes a CVE identifier and vital information for researchers.

Description

CVE-2025-10878: SQL Injection Authentication Bypass in Fikir Odaları AdminPando

Overview

CVE-2025-10878 identifies a critical SQL injection vulnerability present within the login feature of Fikir Odaları AdminPando v1.0.1, potentially affecting earlier versions. The vulnerability, rated with a CVSS score of 10.0, enables an unauthenticated attacker to bypass authentication by exploiting the username and password parameters. This results in unauthorized administrative access, allowing attackers to manipulate the public-facing website's content.

Vulnerable Component Details

  • Product: Fikir Odaları AdminPando
  • Vendor: Omran İnşaat A.Ş.
  • Vulnerable URL: https://www.omran.com.tr/admin/logIn.php
  • Affected Version: v1.0.1 and possibly earlier
  • Vulnerability Type: CWE-89: SQL Injection

Impact

The vulnerability allows full administrative control over the application, which facilitates significant risks, including:

  • Complete authentication bypass
  • Unauthorized access to the admin panel
  • Manipulation of public website content
  • Distribution of malicious content to public website visitors
  • Potential exposure of user data and damage to brand reputation

Attack Flow

  1. An attacker exploits the SQL injection on the /admin login page, gaining access to the admin dashboard.
  2. The admin dashboard enables full HTML/DOM control over the public website.
  3. Visitors to the public website encounter manipulated content, effectively crossing a trust boundary between authenticated and unauthenticated users.

Proof of Concept

A proof of concept was created to demonstrate the vulnerability and the exploitation steps involved, including the following payloads:

' OR '1'='1

By using the above payload, authentication can be bypassed with any password, providing access to the admin panel. This access allows complete control over all aspects of the public-facing website.

Remediation

The vulnerability was patched on January 26, 2026. All users are urged to ensure they are utilizing the latest version of the software to mitigate this severe risk.

References

Acknowledgment

This vulnerability was discovered and reported by Onurcan Genç utilizing responsible disclosure practices.

0 comments

No comments yet.

Sign in to be the first to comment.