Login Sign Up

CVE-2018-5990

9.8 CRITICAL
SQL Injection

📋 TL;DR

This is a critical SQL injection vulnerability in the AllVideos Reloaded component for Joomla! CMS. Attackers can inject malicious SQL commands through the 'divid' parameter, potentially allowing them to read, modify, or delete database content. Any Joomla! site running the vulnerable AllVideos Reloaded component is affected.

💻 Affected Systems

Products:
  • Joomla! AllVideos Reloaded component
Versions: 1.2.x versions
Operating Systems: All platforms running Joomla!
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Joomla! installations with AllVideos Reloaded component installed.

📦 What is this software?

Allvideos Reloaded by Allvideos Reloaded Project

View all CVEs affecting Allvideos Reloaded →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, privilege escalation, remote code execution, and full site takeover.

🟠

Likely Case

Database information disclosure, data manipulation, and potential administrative access to the Joomla! site.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: CONFIRMED
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code is available, making this easily exploitable by attackers with minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Update to AllVideos Reloaded 1.2.3 or later

Vendor Advisory: https://www.joomla.org/announcements/release-news/

Restart Required: No

Instructions:

1. Log into Joomla! admin panel. 2. Navigate to Extensions > Manage > Update. 3. Update AllVideos Reloaded component to latest version. 4. Alternatively, download latest version from Joomla! Extensions Directory and install manually.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the 'divid' parameter before processing

Implement parameterized queries or prepared statements in component code

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure WAF to block SQL injection patterns in URL parameters

🧯 If You Can't Patch

  • Disable or remove the AllVideos Reloaded component entirely
  • Implement strict input validation at application level for all user-supplied parameters

🔍 How to Verify

Check if Vulnerable:

Check Joomla! admin panel > Extensions > Manage > Manage for AllVideos Reloaded version. If version is 1.2.0-1.2.2, you are vulnerable.

Check Version:

Check Joomla! admin panel: Extensions > Manage > Manage, find AllVideos Reloaded

Verify Fix Applied:

Confirm AllVideos Reloaded version is 1.2.3 or higher in Joomla! extensions manager.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple requests with SQL-like patterns in 'divid' parameter
  • Error logs showing SQL syntax errors

Network Indicators:

  • HTTP requests containing SQL keywords in URL parameters
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (divid CONTAINS "UNION" OR divid CONTAINS "SELECT" OR divid CONTAINS "INSERT" OR divid CONTAINS "DELETE")

📊 Metadata

CVE ID: CVE-2018-5990
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 17, 2018
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-5990, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)