CVE-2018-7179
published 2018-02-17CVE-2018-7179: SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter.
PriorityP262critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.70%
84.1th percentile
SQL Injection exists in the SquadManagement 1.0.3 component for Joomla! via the id parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| squadmanagement_project | squadmanagement | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://localhost/[PATH]/index.php?option=com_squadmanagement&controller=appointment&task=deleteappointment&id=[SQL]↗
urlhttp://localhost/[PATH]/index.php?option=com_squadmanagement&controller=appointment&task=removefromappointment&id=[SQL]↗
urlhttp://localhost/[PATH]/index.php?option=com_squadmanagement&view=editsquad&format=memberlist&squadid=[SQL]↗
urlhttp://localhost/[PATH]/index.php?option=com_squadmanagement&controller=squadmembers&task=addmember&squadid=[SQL]↗
- →Monitor HTTP requests containing 'option=com_squadmanagement' combined with SQL injection patterns in the 'id' or 'squadid' query parameters. ↗
- →Alert on requests to index.php with 'option=com_squadmanagement' and tasks: removewarround, deleteappointment, removefromappointment, addmember — these are the specific vulnerable endpoints. ↗
- →Alert on requests to index.php with 'option=com_squadmanagement' and 'view=editsquad&format=memberlist' with a manipulated 'squadid' parameter. ↗
- ·The exploit POC payloads are Base64-encoded; defenders should decode and inspect these strings to understand the exact SQL injection payloads being used (e.g., EXTRACTVALUE/CONCAT-based error-based SQLi). ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2018-02-17
Published