CVE-2018-19897
Description
ThinkCMF X2.2.2 has SQL Injection via the function _listorders() in AdminbaseController.class.php and is exploitable with the manager privilege via the listorders[key][1] parameter in a Link listorders action.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ThinkCMF X2.2.2 contains a SQL injection in the _listorders() function of AdminbaseController.class.php, exploitable by a manager via crafted listorders[key] parameters.
Vulnerability
A SQL injection vulnerability exists in ThinkCMF X2.2.2 within the function _listorders() in AdminbaseController.class.php. The function directly splices user-supplied listorders[key][1] parameter values into SQL statements without proper sanitization. The affected code path is reachable when a user with manager privileges accesses the listorders action, for example via the Link controller. This specific injection is described in reference [1], which also documents three other SQL injection flaws in the same version across CommentadminController, NavController, and SlideController.
Exploitation
An attacker must have manager-level privileges to reach the vulnerable code path. The attack is performed by sending an HTTP POST request to a URL such as http://127.0.0.1/cmfx/index.php?g=Admin&m=Link&a=listorders with parameters listorders[key][0]=exp and listorders[key][1]= followed by a malicious SQL payload like 0 and updatexml(1,concat(0x7e,(SELECT user()),0x7e),1) [1]. The payload is injected directly into the SQL query, allowing the attacker to execute arbitrary SQL statements.
Impact
Successful exploitation allows an authenticated manager to perform arbitrary SQL queries, potentially leading to data exfiltration (information disclosure), modification, or deletion of database contents. The attacker can extract sensitive data such as user credentials, gain further access, or cause denial of service. The injection via updatexml() causes an error that reveals the query result, confirming the impact [1].
Mitigation
No official patch has been released as of the publication date. Users of ThinkCMF X2.2.2 should upgrade to a version that fixes the SQL injection issues. As a workaround, input validation and parameterized queries should be implemented for the _listorders() function and the other affected methods. The vendor's repository issue [1] describes the problem but no linked fix version is available. The CVE is not listed on the known exploited vulnerabilities (KEV) catalog as of December 2018.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- github.com/thinkcmf/cmfx/issues/26mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.