cbcvebase.
CVE-2020-13118
published 2020-05-16

CVE-2020-13118: An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. SQL Injection exists in check_community.php via the parameter community.

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.96%
89.1th percentile
An issue was discovered in Mikrotik-Router-Monitoring-System through 2018-10-22. SQL Injection exists in check_community.php via the parameter community.

Affected

1 ranges
VendorProductVersion rangeFixed in
mikrotik-router-monitoring-system_projectmikrotik-router-monitoring-system<= 2018-10-22

Detection & IOCsextracted from sources · hover to see the quote

path/check_community.php
urlhttp://localhost/check_community.php?community=1' AND (SELECT 6941 FROM (SELECT(SLEEP(10)))Qaxg) AND 'sdHI'='sdHI
  • Monitor HTTP GET requests to check_community.php where the 'community' parameter contains SQL metacharacters (e.g., single quotes, SELECT, SLEEP, AND keywords), indicative of time-based blind SQL injection attempts.
  • The vulnerable code directly interpolates the unsanitized GET parameter 'community' into a SQL query: SELECT name from router where `community`='$community' — alert on requests where this parameter contains SQL syntax such as AND, SELECT, SLEEP, or quote characters.
  • Time-based blind SQLi payloads using SLEEP() targeting check_community.php should be flagged; the PoC uses SLEEP(10) to confirm injection.
  • ·The vulnerability affects Mikrotik-Router-Monitoring-System versions up to and including 1.2.3; verify the installed version before applying detections to avoid false positives on patched deployments.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_oracle7.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.