Attack Chain

1. The attacker authenticates to the Redaxo CMS instance.
2. The attacker crafts a malicious GET request targeting the /redaxo/index.php?addon=myevents&page=event_add endpoint.
3. The crafted GET request includes a myevents_id parameter containing SQL injection payload. For example, myevents_id=1' AND 1=1;--.
4. The web application processes the request and executes the injected SQL code against the database.
5. The injected SQL query allows the attacker to extract sensitive information such as usernames, passwords, or other database content.
6. The attacker analyzes the retrieved data to identify further attack vectors or sensitive information.
7. The attacker modifies database records to escalate privileges or deface the website.

Impact

Successful exploitation of this SQL injection vulnerability (CVE-2018-25319) can lead to unauthorized access to sensitive data, including user credentials and confidential information stored in the Redaxo CMS database. Attackers could potentially escalate their privileges, modify website content, or compromise the entire system. The severity is rated as High with a CVSS score of 7.1.

Recommendation

• Apply any available patches or updates for the Redaxo CMS MyEvents Addon to remediate CVE-2018-25319.
• Deploy the Sigma rule Detect CVE-2018-25319 Exploitation — Redaxo MyEvents SQL Injection to identify exploitation attempts in web server logs.
• Monitor web server logs for suspicious GET requests to /redaxo/index.php?addon=myevents&page=event_add with unusual characters in the myevents_id parameter (see IOCs).
• Implement input validation and sanitization for all user-supplied data, especially for parameters used in database queries.
• Enforce least privilege principles to limit the impact of potential SQL injection attacks.