CVE-2018-6398
published 2018-01-30CVE-2018-6398: SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the CP Event Calendar 3.0.1 component for Joomla! via the id parameter in a task=load action.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| joomlacalendars | event_calendar | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandoption=com_cpeventcalendar&task=load&id=1 AND (SELECT 7531 FROM(SELECT COUNT(*),CONCAT(0x716a707671,(SELECT (ELT(7531=7531,1))),0x717a6a7a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)↗
commandoption=com_cpeventcalendar&task=load&id=1 UNION ALL SELECT NULL,NULL,NULL,CONCAT(0x716a707671,0x4a61716b6d59557a4f5a496f7676584d57444e514d4d78626d42546e786d79747350424271687555,0x717a6a7a71),NULL,NULL,NULL-- cJFi↗
bytes↗
0x716a707671
bytes↗
0x717a6a7a71
- →Monitor HTTP GET requests targeting the Joomla component 'com_cpeventcalendar' with 'task=load' and a manipulated 'id' parameter containing SQL injection payloads (UNION, AND, BENCHMARK, FLOOR, CONCAT, etc.). ↗
- →Detect boolean-based blind SQLi pattern in the 'id' GET parameter: value followed by 'AND <int>=<int>' against com_cpeventcalendar. ↗
- →Detect error-based SQLi using FLOOR(RAND(0)*2) with INFORMATION_SCHEMA.PLUGINS GROUP BY in requests to com_cpeventcalendar. ↗
- →Detect time-based blind SQLi using BENCHMARK(5000000,MD5(...)) in the 'id' parameter of com_cpeventcalendar requests; high BENCHMARK counts indicate deliberate heavy-query delay. ↗
- →Detect UNION-based SQLi with 7-column NULL skeleton and hex-encoded canary strings (0x716a707671 / 0x717a6a7a71) in requests to com_cpeventcalendar. ↗
- →URL-encoded SQLi probe targeting com_cpeventcalendar: look for the encoded UNION/SELECT sequence '%2d%31%20%20%2f%2a%21%30%36%36%36%36%55%4e%49%4f%4e%2a%2f' in the 'id' parameter. ↗
- ·The SQL injection is only exploitable in CP Event Calendar version 3.0.1 for Joomla!; other versions are not confirmed vulnerable. ↗
- ·The injection point is exclusively the 'id' GET parameter when 'task=load' is specified; other parameters or tasks are not part of this attack surface. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-01-30
Published