CVE-2018-5981
published 2018-02-17CVE-2018-5981: SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.
PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| web-dorado | gallery_wd | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandgallery_id=%37%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%37%30%39%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%37%30%39%32%3d%37%30%39%32%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29↗
- →Detect SQL injection attempts against the Gallery WD Joomla component by monitoring HTTP requests containing 'option=com_gallery_wd' combined with SQL payloads in the 'tag_id' or 'gallery_id' parameters. ↗
- →Alert on XPATH syntax error responses (MySQL error 1105 'XPATH syntax error') in HTTP responses, which indicate successful error-based SQL injection exploitation via UPDATEXML or EXTRACTVALUE functions. ↗
- →Flag requests to 'index.php?option=com_gallery_wd' where 'gallery_id' contains URL-encoded SQL keywords (e.g., %41%4e%44 = 'AND', %45%58%54%52%41%43%54%56%41%4c%55%45 = 'EXTRACTVALUE'), indicating URL-encoded SQL injection attempts. ↗
- →Monitor for use of SQL error-based exfiltration functions UPDATEXML and EXTRACTVALUE (CONCAT(0x5c,...) / CONCAT(0x2e,...) patterns) within the 'tag_id' or 'gallery_id' query parameters of com_gallery_wd requests. ↗
- ·The exploit PoC uses 'localhost' as the target host; in real-world detections, the host portion will vary — detection rules should match on the URI path and parameter patterns rather than the hostname. ↗
- ·The gallery_id SQL payload is URL-encoded in the PoC; WAF/IDS rules must decode percent-encoding before matching to avoid bypass via URL encoding. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-17
Published