CVE-2013-2618
published 2014-06-05CVE-2013-2618: Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via…
PriorityP277medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEVRansomware
Exploited in the wild
EPSS
4.68%
90.6th percentile
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| network-weathermap | network_weathermap | <= 0.97 | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:attempted-admin; sid:2025459; rev:5;)
- →The persistent XSS results in a PHP webshell written to /plugins/weathermap/configs/conn.php (and cools.php); detect unexpected .php file creation under the weathermap configs directory. ↗
- →Post-exploitation persistence: monitor for writes to /etc/rc.local and /etc/crontab by web server processes, and for the kernel parameter vm.nr_hugepages being modified (indicative of XMR mining preparation). ↗
- →The vulnerability is also exploitable via the Cacti plugin management interface; monitor GET requests to weathermap-cacti-plugin-mgmt.php?action=viewconfig&file= for path traversal or injection payloads. ↗
- ·Exploitation requires Cacti's Plugin Architecture to be enabled with an outdated Network Weathermap version (0.97a or prior); patched versions (0.97b+) are not affected. ↗
- ·The campaign specifically targets publicly accessible Cacti instances with no authentication; instances behind authentication or not internet-facing are significantly harder to exploit. ↗
- ·The attacking IP addresses were not published as stable IOCs because the machines are assessed to be remotely controlled (likely compromised intermediaries), reducing their detection value. ↗
CVSS provenance
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-cgfh-fcw2-4r7r: Cross-site scripting (XSS) vulnerability in editor
ghsa_unreviewed·2022-05-17
CVE-2013-2618 [MEDIUM] CWE-79 GHSA-cgfh-fcw2-4r7r: Cross-site scripting (XSS) vulnerability in editor
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
VulnCheck
network-weathermap .network_weathermap Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
vulncheck·2013·CVSS 4.3
CVE-2013-2618 [MEDIUM] network-weathermap .network_weathermap Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
network-weathermap .network_weathermap Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in editor.php in Network Weathermap before 0.97b allows remote attackers to inject arbitrary web script or HTML via the map_title parameter.
Affected: network-weathermap .network_weathermap
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Known Ransomware Campaign Use: Known
Exploitation References: https://cybersecurityworks.com/blog/ransomware/cyber-hygiene-ransomware-is-causing-critical-care-disruption-in-hospitals.html; https://cybersecurityworks.com/pdf/ransomware/Spotlight_Ransomware2021.pdf; https://cybersecuri
Suricata
ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)
suricata·2018-04-03·CVSS 4.3
CVE-2013-2618 [MEDIUM] ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)
ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)
Rule: alert http $EXTERNAL_NET any -> $HTTP_SERVERS any (msg:"ET WEB_SPECIFIC_APPS Possible CVE-2013-2618 Attempt (PHP Weathermap Persistent XSS)"; flow:established,to_server; http.method; content:"POST"; http.uri; content:"/editor.php"; content:"&map_title="; nocase; content:"&map_legend="; nocase; content:"&editorsettings_showrelative="; fast_pattern; nocase; content:"="; pcre:"/.+?(?:on(?:(?:s(?:elec|ubmi)|rese)t|d(?:blclick|ragdrop)|(?:mouse|key)[a-z]|c(?:hange|lick)|(?:un)?load|focus|blur)|s(?:cript|tyle=))/R"; reference:url,blog.trendmicro.com/trendlabs-security-intelligence/cryptocurrency-miner-distributed-via-php-weathermap-vulnerability-targets-linux-servers/; reference:cve,2013-2618; classtype:at
http://osvdb.org/91869http://packetstormsecurity.com/files/121034/Network-Weathermap-0.97a-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2013/Apr/1http://www.exploit-db.com/exploits/24913http://www.network-weathermap.com/content/security-notice-cve-2013-2618-network-weathermap-097a-persistent-xsshttp://www.securityfocus.com/bid/58793https://exchange.xforce.ibmcloud.com/vulnerabilities/83187http://osvdb.org/91869http://packetstormsecurity.com/files/121034/Network-Weathermap-0.97a-Cross-Site-Scripting.htmlhttp://seclists.org/fulldisclosure/2013/Apr/1http://www.exploit-db.com/exploits/24913http://www.network-weathermap.com/content/security-notice-cve-2013-2618-network-weathermap-097a-persistent-xsshttp://www.securityfocus.com/bid/58793https://exchange.xforce.ibmcloud.com/vulnerabilities/83187
2014-06-05
Published
Exploited in the wild