cbcvebase.
CVE-2018-17553
published 2018-10-03

CVE-2018-17553: An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated…

PriorityP180high8.8CVSS 3.0
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
78.99%
99.5th percentile
An "Unrestricted Upload of File with Dangerous Type" issue with directory traversal in navigate_upload.php in Naviwebs Navigate CMS 2.8 allows authenticated attackers to achieve remote code execution via a POST request with engine=picnik and id=../../../navigate_info.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
naviwebsnavigate_cms

Detection & IOCsextracted from sources · hover to see the quote

path/navigate_upload.php
path/navigate_info.php
path../../../navigate_info.php
commandPOST /navigate_upload.php?session_id=<SESSION>&engine=picnik&id=../../../navigate_info.php
  • Detect POST requests to navigate_upload.php containing query parameters engine=picnik and id= with path traversal sequences (e.g., ../) targeting navigate_info.php
  • Alert on session cookies matching the pattern NVSID_* obtained immediately after a POST to login.php with the SQLi bypass cookie, indicating successful auth bypass
  • Monitor for multipart/form-data file uploads to navigate_upload.php where the uploaded file has a JPEG content-type but contains PHP code, indicating disguised webshell upload
  • Detect GET requests to /navigate/navigate_info.php shortly after a POST upload to navigate_upload.php, which is the payload trigger step of the exploit chain
  • ·The exploit chains CVE-2018-17552 (authentication bypass via SQL injection in navigate-user cookie) with CVE-2018-17553 (file upload path traversal). Detection must cover both steps; blocking only the upload endpoint is insufficient if the auth bypass is not also detected.
  • ·The GET query parameters (session_id, engine, id) in the upload request are shuffled in order by the Metasploit module, so detection rules should not rely on a fixed parameter order.
  • ·The module overwrites navigate_info.php with an empty string after session establishment to clean up; forensic analysis of navigate_info.php content may show an empty file post-exploitation rather than a webshell.

CVSS provenance

nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.