CVE-2018-25431 Overview
CVE-2018-25431 is a SQL injection vulnerability in No-CMS 1.0, an open-source content management system maintained by goFrendiAsgard. The flaw resides in the order_by parameter of the manage_privilege export endpoint. Authenticated attackers can send crafted POST requests to /nocms/main/manage_privilege/index/export with malicious SQL in the order_by[0] parameter. Successful exploitation allows extraction of sensitive database contents. The weakness is classified as [CWE-89] Improper Neutralization of Special Elements used in an SQL Command.
Critical Impact
Authenticated attackers can execute arbitrary SQL queries against the backend database, exposing credentials, privilege tables, and other sensitive records stored by No-CMS.
Affected Products
- No-CMS version 1.0
- manage_privilege export functionality (/nocms/main/manage_privilege/index/export)
- Deployments sourced from the goFrendiAsgard/No-CMS GitHub repository
Discovery Timeline
- 2026-06-01 - CVE-2018-25431 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2018-25431
Vulnerability Analysis
No-CMS exposes an export action under the manage_privilege controller that accepts user-controlled sorting input through the order_by[0] array parameter. The application concatenates this value directly into the ORDER BY clause of a database query without parameterization or allow-list validation. Because ORDER BY clauses cannot use standard prepared-statement placeholders, developers must apply strict input filtering, which No-CMS does not perform. An authenticated user with access to the privilege management feature can therefore alter the query structure and read arbitrary data from the underlying database.
Root Cause
The root cause is improper neutralization of SQL syntax in the order_by parameter handler inside the privilege export workflow. The controller trusts the array element supplied via POST and forwards it to the data access layer, where it becomes part of a dynamically constructed SQL statement. No type checking, column allow-list, or escape routine sits between the HTTP request and query execution.
Attack Vector
Exploitation requires network access to the No-CMS instance and a valid authenticated session with permission to reach the privilege export endpoint. The attacker submits a POST request to /nocms/main/manage_privilege/index/export containing a payload such as a UNION-based or time-based SQL injection in order_by[0]. The server executes the modified query and returns or processes the resulting data, enabling extraction of database rows. Public proof-of-concept material is available through Exploit-DB #45903 and the VulnCheck SQL Injection Advisory.
Detection Methods for CVE-2018-25431
Indicators of Compromise
- POST requests to /nocms/main/manage_privilege/index/export containing SQL keywords such as UNION, SELECT, SLEEP, or INFORMATION_SCHEMA inside the order_by[0] parameter.
- Unusually large response payloads or extended response times from the privilege export endpoint, indicating data extraction or time-based injection.
- Web server logs showing repeated export requests from a single authenticated session within a short interval.
Detection Strategies
- Inspect web application logs for order_by values that contain SQL metacharacters such as ', --, /*, or parentheses.
- Deploy a web application firewall rule that blocks SQL syntax inside array-style query parameters submitted to No-CMS endpoints.
- Correlate authenticated session activity with database error logs to identify failed injection attempts that produced syntax errors.
Monitoring Recommendations
- Forward No-CMS web server and database logs to a centralized analytics platform and alert on anomalous query patterns against privilege tables.
- Monitor outbound database query volume from the No-CMS application server for spikes that diverge from baseline export usage.
- Track authentication events for the privilege management role and flag accounts that access the export endpoint outside of expected administrative windows.
How to Mitigate CVE-2018-25431
Immediate Actions Required
- Restrict access to /nocms/main/manage_privilege/ to a minimal set of administrative accounts and trusted source IP ranges.
- Audit existing No-CMS user accounts and remove or downgrade any privilege that grants access to the export endpoint without operational need.
- Review database and application logs for prior exploitation of the order_by parameter and rotate credentials if compromise is suspected.
Patch Information
No vendor patch is referenced in the NVD entry for CVE-2018-25431. Operators should monitor the upstream GitHub No-CMS Project for fixes and review the latest source from the GitHub Repository Zip. Until a fix is published, apply the workarounds below.
Workarounds
- Implement an allow-list filter in the manage_privilege controller that accepts only known column names for the order_by parameter and rejects all other input.
- Place No-CMS behind a web application firewall configured to block SQL injection payloads in array parameters, with specific signatures for order_by[0].
- Disable or remove the privilege export feature in production deployments where it is not required for business operations.
# Example WAF rule (ModSecurity) to block SQL syntax in order_by parameter
SecRule ARGS_NAMES "@rx ^order_by\[" \
"id:1002543,phase:2,deny,status:403,\
msg:'Possible SQLi in No-CMS order_by parameter (CVE-2018-25431)',\
chain"
SecRule ARGS "@rx (?i)(union\s+select|sleep\(|information_schema|--|/\*)" \
"t:none,t:urlDecodeUni"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
