CVE-2018-18982

HIGH

Nuuo Cms < 3.3 - SQL Injection

Title source: rule

Description

NUUO CMS All versions 3.3 and prior the web server application allows injection of arbitrary SQL characters, which can be used to inject SQL into an executing statement and allow arbitrary code execution.

Exploits (2)

exploitdb WORKING POC VERIFIED

by Metasploit · rubyremotewindows

https://www.exploit-db.com/exploits/46449

View Code ZIP pw:eip

metasploit WORKING POC NORMAL

by Pedro Ribeiro <[email protected]> · rubypocwin

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/nuuo/nuuo_cms_sqli.rb

View Code ZIP pw:eip

References (2)

[Third Party Advisory, US Government Resource] https://ics-cert.us-cert.gov/advisories/ICSA-18-284-02

[Exploit, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/46449/

Scores

CVSS v3 8.8

EPSS 0.6683

EPSS Percentile 98.6%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (1)

nuuo/nuuo_cms < 3.3

Published Nov 27, 2018

Tracked Since Feb 18, 2026