CVE-2018-25300

Vulnerability

Overview

XATABoost CMS version 1.0.0 contains a union-based SQL injection vulnerability in the news.php script. The id parameter is not properly sanitised, allowing an attacker to inject arbitrary SQL commands. This issue is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. [1] [2]

Exploitation

The vulnerability can be triggered by sending a GET request to news.php with a malicious id value. No authentication is required, making it accessible to any remote attacker. For example, a request to http://localhost/news.php?id=[Injection Point] can be used to inject union-based SQL queries. The exploit is publicly available, including a proof-of-concept on Exploit-DB. [2]

Impact

Successful exploitation allows an unauthenticated attacker to extract sensitive information from the database, such as user credentials, session data, or other confidential records. The CVSS v3 score of 8.2 (High) reflects the ease of exploitation and high confidentiality impact. [1]

Mitigation

As of the advisory, no official patch has been released for XATABoost CMS 1.0.0. Users are advised to implement input validation and parameterized queries for the id parameter, or consider upgrading to a supported version if available. [1]