CVE-2018-25300: XATABoost CMS SQL Injection Allows Unauthenticated Data Extraction
The National Vulnerability Database has detailed CVE-2018-25300, a union-based SQL injection vulnerability impacting XATABoost CMS version 1.0.0. This flaw allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code via the id parameter in GET requests to news.php.
This vulnerability, rated 8.2 (HIGH) on the CVSS scale, enables attackers to extract sensitive database information. The impact is significant, as it requires no authentication, making exploitation straightforward for any adversary who can reach the affected web server. While specific affected products beyond XATABoost CMS 1.0.0 are not detailed, organizations using this particular version are directly exposed.
Attackers’ calculus here is simple: unauthenticated access to database contents. For defenders, this means a direct path to sensitive data for anyone with basic SQLi knowledge. The CWE-89 classification highlights a fundamental security failure that should have been caught in development.
What This Means For You
- If your organization is running XATABoost CMS 1.0.0, you are critically exposed to unauthenticated data exfiltration. Attackers can easily dump your database. You need to immediately identify all instances of this CMS, take them offline, and patch or migrate to a more secure platform. Audit your web server logs for any suspicious GET requests to `news.php` with unusual `id` parameters.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2018-25300: XATABoost CMS Unauthenticated SQL Injection via id parameter
title: CVE-2018-25300: XATABoost CMS Unauthenticated SQL Injection via id parameter
id: scw-2026-04-29-ai-1
status: experimental
level: high
description: |
Detects exploitation attempts against XATABoost CMS 1.0.0 by looking for GET requests to 'news.php' containing SQL UNION SELECT statements and common SQL functions used for data extraction. This targets the specific SQL injection vulnerability in CVE-2018-25300.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25300/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri:
- '/news.php'
cs-uri-query|contains:
- 'UNION SELECT'
- '@@version'
- 'user()'
- 'database()'
cs-method:
- 'GET'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25300 | SQLi | XATABoost CMS version 1.0.0 |
| CVE-2018-25300 | SQLi | union-based SQL injection |
| CVE-2018-25300 | SQLi | GET request to news.php with 'id' parameter |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...
CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...