CVE-2018-19895

Vulnerability

ThinkCMF X2.2.2 contains a SQL injection vulnerability in the function edit_post() within NavController.class.php (/application/Admin/Controller/NavController.class.php line 173). The parentid parameter is taken directly from $_POST['parentid'] and concatenated into the SQL WHERE clause without sanitization, allowing an attacker with manager privileges to inject arbitrary SQL commands [1].

Exploitation

An attacker must have manager privileges on the ThinkCMF instance. The attack is performed by sending a POST request to /index.php?g=Admin&m=nav&a=edit_post with a crafted parentid parameter containing SQL injection payloads, such as 1 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1). No additional user interaction is required [1].

Impact

Successful exploitation allows an authenticated manager to execute arbitrary SQL queries, leading to information disclosure (including extraction of the database user and other sensitive data). The attacker does not escalate privilege beyond the existing manager role but can read or modify any data the database user has access to [1].

Mitigation

As of the publication date (2018-12-06), no patch was available for ThinkCMF X2.2.2. Affected sites should upgrade to a patched version if one is later released, or apply input validation on the parentid parameter. The vendor has not issued an official fix. This CVE is not listed on CISA's Known Exploited Vulnerabilities (KEV) catalog [1].