Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2018-25319

CVE-2018-25319: Redaxo CMS MyEvents SQL Injection Flaw

CVE-2018-25319 is an SQL injection vulnerability in Redaxo CMS MyEvents addon 2.2.1 that allows authenticated attackers to manipulate database queries. This article covers the technical details, affected versions, and mitigation.

Published:

CVE-2018-25319 Overview

CVE-2018-25319 is a SQL Injection vulnerability in the Redaxo CMS MyEvents addon version 2.2.1. The flaw exists in the event_add.php script, which fails to properly sanitize the myevents_id GET parameter before incorporating it into a SQL query. Authenticated attackers can inject arbitrary SQL statements to read, modify, or delete database records. The vulnerability is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command).

Critical Impact

Authenticated attackers can extract or manipulate database contents by injecting SQL through the myevents_id parameter of event_add.php.

Affected Products

  • Redaxo CMS MyEvents Addon version 2.2.1
  • Deployments using the MyEvents addon distributed via the GitHub project repository
  • Redaxo CMS installations exposing event_add.php to authenticated users

Discovery Timeline

  • 2026-05-17 - CVE-2018-25319 published to NVD
  • 2026-05-18 - Last updated in NVD database

Technical Details for CVE-2018-25319

Vulnerability Analysis

The MyEvents addon for Redaxo CMS accepts the myevents_id parameter through HTTP GET requests targeting event_add.php. The application concatenates this user-supplied value directly into a SQL query without parameterization or input validation. Attackers with authenticated sessions can submit crafted values to alter query logic.

Successful exploitation enables extraction of sensitive data from the backend database. The CVSS vector indicates a network-accessible attack requiring low privileges and no user interaction, with high confidentiality impact and limited integrity impact. The EPSS score of 0.024% reflects low observed exploitation activity, but a public proof of concept exists at Exploit-DB entry 44261.

Root Cause

The root cause is missing input neutralization in the handling of the myevents_id GET parameter inside event_add.php. The addon constructs SQL queries through direct string concatenation rather than prepared statements with bound parameters. Any special SQL characters submitted in the parameter are interpreted as query syntax by the database engine.

Attack Vector

An authenticated attacker sends a GET request to event_add.php with a malicious myevents_id value. The injected payload modifies the SQL query executed against the Redaxo database. Standard SQL injection techniques apply, including UNION-based extraction, boolean-based blind injection, and time-based blind injection.

No verified code samples are published with the CVE record. Refer to the VulnCheck advisory for SQL injection in MyEvents for technical reproduction steps.

Detection Methods for CVE-2018-25319

Indicators of Compromise

  • HTTP GET requests to event_add.php containing SQL metacharacters such as single quotes, UNION, SELECT, SLEEP, or comment sequences in the myevents_id parameter
  • Unusual database error messages returned by the Redaxo application logs
  • Authenticated user sessions issuing repeated requests to event_add.php with varying myevents_id values

Detection Strategies

  • Inspect web server access logs for requests matching the pattern event_add.php?myevents_id= with non-numeric or encoded payloads
  • Deploy web application firewall rules that flag SQL injection signatures targeting the myevents_id parameter
  • Correlate authenticated session activity with database query anomalies originating from the MyEvents addon

Monitoring Recommendations

  • Enable verbose query logging on the Redaxo database backend to capture queries originating from event_add.php
  • Alert on response time deviations consistent with time-based blind SQL injection probes
  • Monitor for outbound data transfer spikes from the web host that could indicate database exfiltration

How to Mitigate CVE-2018-25319

Immediate Actions Required

  • Restrict access to event_add.php to trusted administrators until a patched version is deployed
  • Review authentication and session controls to limit which users can reach the vulnerable endpoint
  • Audit database accounts used by Redaxo to enforce least privilege on tables accessible from the MyEvents addon

Patch Information

No vendor security advisory or fixed version is referenced in the CVE record. Administrators should consult the MyEvents GitHub repository for current releases and apply any updates that address the myevents_id parameter handling. Replacing string concatenation with parameterized queries in event_add.php is the canonical remediation for CWE-89.

Workarounds

  • Place a web application firewall in front of the Redaxo installation with rules blocking SQL metacharacters in the myevents_id parameter
  • Implement server-side input validation that enforces a strict integer type for myevents_id before query execution
  • Remove or disable the MyEvents addon if event management functionality is not required
bash
# Example WAF rule snippet for ModSecurity
SecRule ARGS:myevents_id "!@rx ^[0-9]+$" \
    "id:1002501,phase:2,deny,status:403,\
    msg:'CVE-2018-25319 - Non-numeric myevents_id blocked'"

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne