cbcvebase.
CVE-2019-10664
published 2019-03-31

CVE-2019-10664: Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.

PriorityP264critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.55%
93.8th percentile
Domoticz before 4.10578 allows SQL Injection via the idx parameter in CWebServer::GetFloorplanImage in WebServer.cpp.

Affected

1 ranges
VendorProductVersion rangeFixed in
domoticzdomoticz< 4.105784.10578

Detection & IOCsextracted from sources · hover to see the quote

url/json.htm?type=command&param=getfloorplanimage&idx=
cookieSID=
  • Monitor HTTP GET requests to the Domoticz floorplan image endpoint with a manipulated `idx` parameter containing SQL metacharacters (quotes, UNION, SELECT, etc.), indicating SQL injection attempts against CWebServer::GetFloorplanImage in WebServer.cpp.
  • Detect unauthenticated POST requests to the Domoticz settings/configuration endpoint containing `UVCParams` with shell command injection patterns (newlines, `#` comment terminators, shell commands).
  • Alert on ZIP file uploads to Domoticz icon upload endpoint containing PNG files with non-image (shell script/command) content, particularly filenames matching `fakeicon*.png` or `icons.txt` with fake icon definitions.
  • Monitor for the exploit's SQL injection data-theft pattern: unauthenticated GET requests to the floorplan image route with SQL injection payloads used to extract credential fields from the Domoticz database.
  • Detect the exploit's credential-harvesting phase followed by login and SID cookie acquisition, then subsequent privileged API calls — a sequence of unauthenticated SQL injection followed by authenticated RCE is the full attack chain.
  • Flag UVC camera API calls (add/list/live) immediately following a settings POST with injected UVCParams — this is the RCE trigger step in the exploit chain.
  • ·The exploit targets Domoticz versions strictly before 4.10578; version 4.10578 and later contain the upstream patch. Confirm the installed version before applying detection rules to avoid false positives on patched instances.
  • ·The exploit has two distinct RCE delivery modes (`-zipcmd` via icon ZIP upload, and `-direct` via HTTP server callback); detection rules should cover both the ZIP upload path and the external HTTP fetch path for the shell script payload.
  • ·The exploit restores default UVC parameters after execution to cover tracks; forensic detection should therefore focus on transient log entries and network connections rather than persistent configuration state.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.