cbcvebase.
CVE-2018-6605
published 2018-02-05

CVE-2018-6605: SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText…

PriorityP184critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
58.32%
99.0th percentile
SQL Injection exists in the Zh BaiduMap 3.0.0.1 component for Joomla! via the id parameter in a getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails request.

Affected

1 ranges
VendorProductVersion rangeFixed in
zh_baidumap_projectzh_baidumap

Detection & IOCsextracted from sources · hover to see the quote

url/index.php?option=com_zhbaidumap&no_html=1&format=raw&task=getPlacemarkDetails
commandid=-1 UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,md5({{num}}),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--+
  • Monitor POST requests to /index.php with query parameters option=com_zhbaidumap, no_html=1, format=raw, and task set to getPlacemarkDetails, getPlacemarkHoverText, getPathHoverText, or getPathDetails — these are the four injectable task endpoints.
  • Inspect the POST body for the 'id' parameter containing UNION-based SQL injection payloads (e.g., negative id values followed by UNION ALL SELECT with NULL columns and a comment terminator --+).
  • A successful exploitation response will contain the string 'dataexists' in the body alongside the injected computed value, which can be used as a detection matcher.
  • Use FOFA/Shodan queries for Joomla installations (app="Joomla!-网站安装") to identify potentially exposed instances of the vulnerable component.
  • ·The UNION-based payload targets a 48-column table structure (48 NULL columns). If the underlying database schema differs, the column count in the UNION SELECT must be adjusted accordingly.
  • ·The vulnerability is unauthenticated (PR:N) and network-accessible (AV:N), meaning no credentials or prior access are required to exploit it.
  • ·The exploit has a very high EPSS score (90.96th percentile), indicating active exploitation in the wild should be assumed.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.