HIGH 7.1

CVE-2018-25431: SQL Injection in No-Cms 1.0 Privilege Export – Risk Assessment

No-Cms 1.0 contains a SQL injection flaw in its privilege management export feature. An authenticated user can craft a specially formatted request to extract sensitive data from the application's database by injecting malicious SQL commands into the order_by parameter. The vulnerability requires valid credentials but poses significant risk to data confidentiality.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
Weaknesses (CWE)
CWE-89
Affected products
0 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

No-Cms 1.0 contains an SQL injection vulnerability in the order_by parameter of the manage_privilege export endpoint that allows authenticated attackers to manipulate database queries. Attackers can submit POST requests to /nocms/main/manage_privilege/index/export with malicious SQL code in the order_by[0] parameter to extract sensitive database information.

4 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2018-25431 is a SQL injection vulnerability (CWE-89) in No-Cms 1.0's manage_privilege endpoint. The export function accepts POST requests to /nocms/main/manage_privilege/index/export and fails to properly sanitize the order_by[0] parameter before constructing database queries. Attackers with valid authentication can inject SQL metacharacters to bypass query logic, enabling unauthorized data retrieval. The CVSS 3.1 score of 7.1 reflects high confidentiality impact, low integrity risk, and no availability impact (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N).

Business impact

Authenticated users with access to the privilege management interface can extract sensitive database records—including potentially credentials, user data, or business-critical information—without administrative privileges. While the attack requires valid login credentials, compromised accounts (contractor access, vendor integration accounts, or phished employee credentials) present a realistic entry point. Data exfiltration risk is high; system disruption is not an immediate concern since integrity and availability are only marginally affected.

Affected systems

No-Cms version 1.0 is affected. Users should verify whether this version is deployed in their environment, particularly in internal administrative portals or privilege management dashboards. Earlier or later versions have not been identified as affected based on available vendor information; verify current deployments against vendor advisories.

Exploitability

Exploitation requires valid authentication credentials and access to the manage_privilege interface, reducing the attack surface compared to unauthenticated vulnerabilities. However, the attack is trivial once authenticated—simple POST requests with malicious SQL in the order_by parameter suffice. No advanced exploitation techniques are required. The vulnerability is not currently tracked in CISA's Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public weaponization to date, though the straightforward nature of SQL injection means exploitation tools could emerge quickly.

Remediation

Upgrade No-Cms to a patched version addressing CVE-2018-25431. Until patching is feasible, implement input validation and parameterized queries (prepared statements) for all database operations involving user-controlled parameters. Apply principle of least privilege to database accounts used by the application. Monitor for suspicious SQL queries in database logs.

Patch guidance

Check the official No-Cms project repository or vendor advisories for the specific patched version addressing this vulnerability. Apply patches in a test environment first to ensure compatibility with existing configurations. Verify the fix by confirming the order_by parameter is properly sanitized or parameterized in the export endpoint.

Detection guidance

Monitor HTTP POST requests to /nocms/main/manage_privilege/index/export for unusual order_by parameter values containing SQL keywords (UNION, SELECT, WHERE, OR, AND, semicolons). Log successful database queries triggered by this endpoint and alert on queries that exceed expected result sets or access tables outside the privilege management scope. Web application firewalls (WAF) rules targeting SQL injection patterns in POST parameters can provide real-time protection.

Why prioritize this

This vulnerability merits prompt attention due to its HIGH severity rating and direct data exfiltration risk. While authentication is required, many organizations have multiple users with admin or privileged access, and credential compromise is common. The attack is trivial to execute and detection may be overlooked in environments with limited query logging. Organizations should prioritize patching within 30 days if No-Cms 1.0 is internet-facing or accessible to external partners.

Risk score, explained

The CVSS 3.1 score of 7.1 reflects: (1) network-accessible attack vector (AV:N) lowering friction, (2) low attack complexity (AC:L) requiring only standard HTTP POST, (3) requirement for low-privilege authentication (PR:L) as a restraining factor, (4) high confidentiality impact (C:H) from unrestricted database queries, and (5) low integrity and no availability impact. The score appropriately balances the authenticated barrier against the severity of unauthorized data disclosure.

Frequently asked questions

Does this vulnerability affect No-Cms versions other than 1.0?

Based on available information, only version 1.0 is documented as affected. However, organizations running other versions should verify against the vendor's security advisories, as older versions may share the vulnerability if they use the same endpoint logic, and newer versions should confirm the fix.

Can this vulnerability be exploited by unauthenticated users?

No. The vulnerability requires valid authentication credentials to access the /nocms/main/manage_privilege/index/export endpoint. However, if an attacker obtains valid credentials through phishing, credential stuffing, or insider activity, they can exploit it.

What types of data are at risk?

Any data accessible through the No-Cms database is at risk, depending on the application's schema and database permissions. This typically includes user account details, privilege assignments, audit logs, and potentially sensitive business records stored in the same database.

Is there a workaround if we cannot patch immediately?

Implement network-level restrictions to limit access to the /nocms/main/manage_privilege/index/export endpoint (e.g., IP whitelisting). Apply a WAF rule to block requests with SQL injection signatures in the order_by parameter. These are temporary measures only; patching should remain the priority.

This analysis is based on publicly available CVE data and vendor advisories current as of the publication date. CVSS scores, patch versions, and affected product lists should be verified against official vendor releases. SEC.co does not provide legal, compliance, or formal risk assessment services. Organizations must conduct independent risk assessments aligned with their threat models and regulatory obligations before making remediation decisions. No exploitation code or weaponized proof-of-concept is provided in this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).