CVE-2018-6395
published 2018-01-30CVE-2018-6395: SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the Visual Calendar 3.1.3 component for Joomla! via the id parameter in a view=load action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomlacalendars | visual_calendar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandid=1 UNION ALL SELECT CONCAT(0x716a627a71,0x586a6c7676787a6f684c73745863744b7955784a47534d58797158564a53716d6b57434f6141536c,0x71786b6a71),NULL,NULL,NULL,NULL,NULL-- QpYd↗
command-1 /*!06666UNION*/ /*!06666SELECT*/ (SELECT(@x)FROM(SELECT(@x:=0x00),(@NR:=0),(SELECT(0)FROM(INFORMATION_SCHEMA.TABLES)WHERE(TABLE_SCHEMA!=0x696e666f726d6174696f6e5f736368656d61)AND(0x00)IN(@x:=CONCAT(@x,LPAD(@NR:=@NR+1,4,0x30),0x3a20,table_name,0x3c62723e))))x),0x32,0x33,0x34,0x35,0x36-- -↗
- →Monitor HTTP GET requests to Joomla components for the parameter combination option=com_visualcalendar&view=load with a manipulated 'id' parameter containing SQL keywords (UNION, SELECT, SLEEP, AND) or encoded equivalents. ↗
- →Detect time-based blind SQLi attempts by alerting on requests to com_visualcalendar containing SLEEP() in the id parameter. ↗
- →Detect UNION-based SQLi attempts by alerting on requests to com_visualcalendar containing UNION ALL SELECT and NULL columns in the id parameter; the exploit uses a 6-column UNION query. ↗
- →Detect obfuscated UNION SELECT using MySQL versioned comment syntax (/*!06666UNION*/ /*!06666SELECT*/) in requests targeting com_visualcalendar. ↗
- →The SQL injection is exclusively via the HTTP GET 'id' parameter; flag any non-integer or SQL-containing value supplied to this parameter in com_visualcalendar requests. ↗
- ·The exploit targets specifically Visual Calendar version 3.1.3 for Joomla!; other versions may or may not be affected. ↗
- ·The SQL injection vulnerability is in the 'id' parameter only when the view=load action is used; other views/actions of the component are not confirmed vulnerable by this exploit. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-30
Published