CVE-2018-25330: Joomla! EkRishta Extension Vulnerabilities

The Joomla! extension EkRishta 2.10 is vulnerable to both persistent cross-site scripting (XSS) and SQL injection attacks. The vulnerability allows attackers to inject malicious code via profile information fields such as “Address”, which gets executed when other users view the profile. Additionally, SQL injection is possible via the phone_no POST parameter when interacting with the user_setting endpoint, potentially allowing attackers to manipulate database queries. This combination of vulnerabilities could lead to unauthorized access to sensitive information, modification of data, or even complete compromise of the affected Joomla! installation. The reported CVSS v3.1 base score is 8.2, indicating a high severity.

Attack Chain

1. Attacker crafts a malicious payload containing JavaScript or SQL code.
2. Attacker accesses a user profile and modifies the “Address” field with the crafted XSS payload.
3. Attacker sends a crafted POST request to the user_setting endpoint with a SQL injection payload in the phone_no parameter.
4. The application stores the malicious XSS payload in the database.
5. A legitimate user views the profile containing the attacker’s injected address.
6. The stored XSS payload is rendered in the user’s browser, executing the malicious script.
7. The SQL injection payload is processed by the application, potentially modifying database content or disclosing sensitive data.
8. The attacker gains unauthorized access to sensitive information or control over parts of the application.

Impact

Successful exploitation of these vulnerabilities can lead to severe consequences. The XSS vulnerability allows attackers to execute arbitrary JavaScript code in the context of a user’s browser, potentially stealing session cookies, redirecting users to malicious websites, or defacing the website. The SQL injection vulnerability can allow attackers to read, modify, or delete sensitive data in the database, including user credentials and personal information. While the number of affected EkRishta installations is unknown, a successful attack could compromise user privacy, damage the website’s reputation, and lead to financial losses.

Recommendation

• Apply available patches or updates for the EkRishta extension to address CVE-2018-25330, mitigating both the XSS and SQL injection vulnerabilities.
• Deploy the Sigma rule Detect CVE-2018-25330 Exploitation Attempt — SQL Injection in phone_no Parameter to detect attempts to exploit the SQL injection vulnerability via the phone_no parameter in web server logs.
• Deploy the Sigma rule Detect CVE-2018-25330 Exploitation Attempt — Suspicious Address Field to detect attempts to inject XSS payloads into the Address field via web server logs.
• Implement input validation and sanitization measures to prevent XSS attacks by filtering out potentially malicious characters in user-supplied data.
• Use parameterized queries or prepared statements to prevent SQL injection vulnerabilities by properly escaping user-supplied data in database queries.
• Monitor web server logs for suspicious activity, such as unusual requests or error messages, that may indicate an attempted exploitation of the vulnerabilities.