cbcvebase.
CVE-2018-16836
published 2018-09-11

CVE-2018-16836: Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary…

PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
61.44%
99.1th percentile
Rubedo through 3.4.0 contains a Directory Traversal vulnerability in the theme component, allowing unauthenticated attackers to read and execute arbitrary files outside of the service root path, as demonstrated by a /theme/default/img/%2e%2e/..//etc/passwd URI.

Affected

1 ranges
VendorProductVersion rangeFixed in
rubedo_projectrubedo<= 3.4.0

Detection & IOCsextracted from sources · hover to see the quote

url/theme/default/img/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e//etc/passwd
path/theme/default/img/
  • Look for URL-encoded dot-dot sequences (%2e%2e) in HTTP GET requests targeting the /theme/default/img/ path, indicative of directory traversal attempts against Rubedo CMS.
  • Exploit requires no authentication (unauthenticated attacker); alert on any unauthenticated GET request to /theme/ paths containing %2e%2e traversal sequences.
  • Successful exploitation returns HTTP 200 with content matching 'root:.*:0:0:' (i.e., /etc/passwd contents); monitor HTTP responses from /theme/ endpoints for Unix passwd file patterns.
  • Google Dork 'intext:rubedo.current.page.description' can be used to identify exposed Rubedo CMS instances for targeted scanning.
  • ·The traversal path uses double-slash before /etc/passwd (//etc/passwd) in addition to URL-encoded %2e%2e sequences; detection rules must account for both encoding and the trailing double-slash pattern.
  • ·The NVD advisory also shows a mixed encoding variant (%2e%2e/../) suggesting multiple traversal encoding styles may be used; detection should normalize and match both forms.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.