CVE-2018-14440

Vulnerability

An SQL injection vulnerability exists in the cckevincyh SSH CompanyWebsite product, affecting all versions up to the 2018-05-03 release. The flaw resides in the admin/noticeManageAction_queryNotice.action endpoint, where the noticeInfo parameter is not sanitized before being used in a SQL query. A POST request to this endpoint with a malicious payload in the noticeInfo parameter can inject arbitrary SQL commands. Versions prior to and including 2018-05-03 are confirmed vulnerable [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the vulnerable endpoint. No authentication is required to reach the action. The example payload noticeInfo=aa%' and 123=123 and '%'=' is provided in the reference [1], demonstrating that an attacker can inject SQL code by closing the existing query with a single quote and adding conditions. The attacker must have network access to the application server. The exploitation does not require user interaction beyond the attacker sending the request.

Impact

Successful exploitation allows an attacker to execute arbitrary SQL queries against the backend database. This can lead to unauthorized access to sensitive data, modification of database content, or potential escalation of privileges depending on the database user permissions. The impact is primarily on confidentiality and integrity, as the attacker can read or alter data managed by the application.

Mitigation

A patched version has not been explicitly released as of the publication date of this CVE (2018-07-20). Users are advised to upgrade to a secure version if available, or to apply input validation and parameterized queries to the noticeInfo parameter. As a workaround, Web Application Firewall rules can be configured to block SQL injection patterns. The project appears to be inactive; users should consider migrating to an alternative solution or implementing proper input sanitization.