<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Wecodex - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/wecodex/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/wecodex/feed.xml" rel="self" type="application/rss+xml"/><item><title>Wecodex Restaurant CMS 1.0 SQL Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-wecodex-sqli/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-wecodex-sqli/</guid><description>Wecodex Restaurant CMS 1.0 is vulnerable to SQL injection via the username parameter, allowing unauthenticated attackers to extract sensitive database information by sending crafted POST requests to the login endpoint.</description><content:encoded><![CDATA[<p>Wecodex Restaurant CMS version 1.0 is susceptible to SQL injection. The vulnerability, identified as CVE-2018-25185, enables unauthenticated attackers to inject malicious SQL code into the username parameter of the login form. This allows attackers to manipulate database queries and potentially extract sensitive information. The vulnerability exists because the application fails to properly sanitize user-supplied input before using it in a database query. The attack involves crafting a specific POST request to the login endpoint with a malicious SQL payload. This vulnerability was published on March 26, 2026, highlighting its continued relevance for systems running the vulnerable version. Exploitation can lead to complete compromise of the database.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a Wecodex Restaurant CMS 1.0 instance.</li>
<li>Attacker crafts a malicious SQL payload designed for boolean-based or time-based blind SQL injection.</li>
<li>Attacker sends a POST request to the login endpoint, injecting the SQL payload into the username parameter.</li>
<li>The server processes the request without proper sanitization, executing the injected SQL code.</li>
<li>Attacker analyzes the server's response based on boolean logic or response time to infer database structure and content.</li>
<li>Attacker refines the SQL payload to extract sensitive data such as usernames, passwords, and customer information.</li>
<li>Attacker uses the extracted credentials to gain unauthorized access to the application's administrative interface.</li>
<li>Attacker potentially exfiltrates sensitive data or makes unauthorized changes to the application's database.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability allows attackers to extract sensitive database information, including usernames, passwords, and customer details. This can lead to unauthorized access to the application's administrative interface, data breaches, and potential financial loss. The lack of authentication required to exploit the vulnerability increases the risk. While the exact number of victims is unknown, any organization using Wecodex Restaurant CMS 1.0 is potentially at risk.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply appropriate input validation and sanitization techniques to all user-supplied input, especially within database queries.</li>
<li>Deploy the Sigma rule &quot;Detect Wecodex Restaurant CMS SQL Injection Attempt&quot; to identify potential exploitation attempts (see below).</li>
<li>Implement parameterized queries or prepared statements to prevent SQL injection vulnerabilities.</li>
<li>Consider using a web application firewall (WAF) to filter out malicious requests targeting the login endpoint.</li>
<li>Upgrade to a patched version of Wecodex Restaurant CMS or migrate to a more secure CMS solution if available from the vendor.</li>
<li>Monitor web server logs (cs-uri-query, cs-uri-stem, cs-method) for suspicious POST requests containing SQL syntax to the login endpoint.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sqli</category><category>cve-2018-25185</category><category>webserver</category></item><item><title>Shipping System CMS 1.0 Authentication Bypass via SQL Injection</title><link>https://feed.craftedsignal.io/briefs/2024-01-shipping-cms-sqli/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-shipping-cms-sqli/</guid><description>Shipping System CMS 1.0 is vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication by injecting SQL code through the username parameter.</description><content:encoded><![CDATA[<p>Shipping System CMS 1.0 is susceptible to SQL injection attacks, specifically targeting the authentication process. This vulnerability, identified as CVE-2018-25183, allows unauthenticated attackers to bypass the login mechanism by injecting malicious SQL code into the username parameter. The attack leverages boolean-based blind SQL injection techniques, enabling attackers to authenticate without providing valid credentials. Successful exploitation grants unauthorized access to administrative functionalities of the CMS, posing a significant risk to data confidentiality, integrity, and availability. This vulnerability was published in 2026.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker sends a POST request to the <code>/admin/login</code> endpoint.</li>
<li>The POST request includes a crafted <code>username</code> parameter containing a malicious SQL payload designed for boolean-based blind injection.</li>
<li>The application processes the injected SQL code without proper sanitization or parameterization.</li>
<li>The injected SQL code manipulates the authentication query to return true, regardless of the actual username and password.</li>
<li>The application incorrectly authenticates the attacker based on the manipulated query results.</li>
<li>The attacker gains unauthorized access to the administrative panel of Shipping System CMS 1.0.</li>
<li>Attacker exploits their access to modify system configurations, access sensitive data, or perform other malicious activities.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this SQL injection vulnerability leads to complete authentication bypass, granting attackers full administrative control over affected Shipping System CMS 1.0 instances. This can result in unauthorized data access, modification, or deletion, potentially leading to significant financial loss, reputational damage, and disruption of shipping operations. The vulnerability has a CVSS v3.1 score of 8.2, indicating a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect Shipping System CMS SQL Injection Attempt</code> to your SIEM to identify potential exploitation attempts targeting the login endpoint.</li>
<li>Inspect web server logs for suspicious POST requests to the <code>/admin/login</code> endpoint with unusual characters or SQL keywords in the <code>username</code> parameter to detect SQL injection attempts (webserver logs).</li>
<li>Apply input validation and sanitization to the <code>username</code> parameter in Shipping System CMS 1.0, or upgrade to a patched version if available, to prevent SQL injection (CVE-2018-25183).</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>sql-injection</category><category>authentication-bypass</category><category>web-application</category></item></channel></rss>