cbcvebase.
CVE-2018-5981
published 2018-02-17

CVE-2018-5981: SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.

PriorityP265critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the Gallery WD 1.3.6 component for Joomla! via the tag_id parameter or gallery_id parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
web-doradogallery_wd

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_gallery_wd&tag_id=[SQL]&view=GalleryBox&gallery_id=7
urlindex.php?option=com_gallery_wd&tag_id=&view=GalleryBox&gallery_id=7[SQL]
commandtag_id=(UPDATEXML(1,CONCAT(0x2e,database(),(SELECT (ELT(2=2,1))),version()),8599))
commandgallery_id=%37%20%41%4e%44%20%45%58%54%52%41%43%54%56%41%4c%55%45%28%37%30%39%32%2c%43%4f%4e%43%41%54%28%30%78%35%63%2c%76%65%72%73%69%6f%6e%28%29%2c%28%53%45%4c%45%43%54%20%28%45%4c%54%28%37%30%39%32%3d%37%30%39%32%2c%31%29%29%29%2c%64%61%74%61%62%61%73%65%28%29%29%29
  • Detect SQL injection attempts against the Gallery WD Joomla component by monitoring HTTP requests containing 'option=com_gallery_wd' combined with SQL payloads in the 'tag_id' or 'gallery_id' parameters.
  • Alert on XPATH syntax error responses (MySQL error 1105 'XPATH syntax error') in HTTP responses, which indicate successful error-based SQL injection exploitation via UPDATEXML or EXTRACTVALUE functions.
  • Flag requests to 'index.php?option=com_gallery_wd' where 'gallery_id' contains URL-encoded SQL keywords (e.g., %41%4e%44 = 'AND', %45%58%54%52%41%43%54%56%41%4c%55%45 = 'EXTRACTVALUE'), indicating URL-encoded SQL injection attempts.
  • Monitor for use of SQL error-based exfiltration functions UPDATEXML and EXTRACTVALUE (CONCAT(0x5c,...) / CONCAT(0x2e,...) patterns) within the 'tag_id' or 'gallery_id' query parameters of com_gallery_wd requests.
  • ·The exploit PoC uses 'localhost' as the target host; in real-world detections, the host portion will vary — detection rules should match on the URI path and parameter patterns rather than the hostname.
  • ·The gallery_id SQL payload is URL-encoded in the PoC; WAF/IDS rules must decode percent-encoding before matching to avoid bypass via URL encoding.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.