CVE-2018-25431
Description
No-Cms 1.0's manage_privilege export endpoint is vulnerable to SQL injection via the order_by parameter, allowing authenticated users to extract database information.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
No-Cms 1.0's manage_privilege export endpoint is vulnerable to SQL injection via the order_by parameter, allowing authenticated users to extract database information.
Vulnerability
No-Cms version 1.0 is affected by an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint. This flaw allows authenticated attackers to manipulate database queries by injecting malicious SQL code [3]. The vulnerability is present in the export functionality of the manage_privilege module [2].
Exploitation
An attacker needs to be authenticated to the No-Cms application. They can then send a POST request to the /nocms/main/manage_privilege/index/export endpoint. By providing malicious SQL code within the order_by[0] parameter, the attacker can exploit the vulnerability [2, 3].
Impact
Successful exploitation of this SQL injection vulnerability allows an authenticated attacker to extract sensitive database information. The scope of the compromise is limited to the data accessible through the manipulated database queries [3].
Mitigation
No specific patched version or release date for No-Cms 1.0 has been disclosed in the available references. Users are advised to consult the vendor or security advisories for potential workarounds or updated information. No-Cms is no longer actively maintained as the developer has shifted focus to Chimera-Framework [1].
AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The order_by parameter in the export endpoint is vulnerable to SQL injection due to insufficient input sanitization."
Attack vector
An authenticated attacker can send a POST request to the `/nocms/main/manage_privilege/index/export` endpoint. By injecting malicious SQL code into the `order_by[0]` parameter, the attacker can manipulate database queries to extract sensitive information [ref_id=2]. The exploit demonstrates using a crafted `order_by[0]` value to achieve this injection [ref_id=2].
Affected code
The vulnerability exists in the `manage_privilege` export endpoint, specifically within the handling of the `order_by` parameter. This parameter is used to manipulate database queries, and its lack of proper sanitization allows for SQL injection [ref_id=2].
What the fix does
The provided bundle does not contain information about a patch or specific remediation steps. Therefore, the advisory does not specify how the vulnerability is fixed. Users are advised to consult vendor advisories for the latest information on patches or workarounds.
Preconditions
- authThe attacker must be authenticated to the system.
- inputThe attacker needs to control the `order_by[0]` parameter in a POST request.
Reproduction
POST /nocms/main/manage_privilege/index/export HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://localhost/nocms/main/manage_privilege Content-Type: application/x-www-form-urlencoded Content-Length: 76 Connection: close Cookie: [authentication cookies] Upgrade-Insecure-Requests: 1
search_text=&search_field=/**/&per_page=25&order_by[0]=[INJECT HERE]&order_by[1]=&page=1 [ref_id=2]
Generated on Jun 1, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
3News mentions
0No linked articles in our index yet.