CVE-2018-13045 in Yeswiki Cercopitheque
Summary
by MITRE
SQL injection vulnerability in the "Bazar" page in Yeswiki Cercopitheque 2018-06-19-1 and earlier allows attackers to execute arbitrary SQL commands via the "id" parameter.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 08/26/2025
The CVE-2018-13045 vulnerability represents a critical sql injection flaw within the Yeswiki Cercopitheque 2018-06-19-1 and earlier versions, specifically targeting the Bazar page functionality. This vulnerability resides in the application's handling of user input through the "id" parameter, creating an exploitable entry point that allows malicious actors to manipulate database queries. The flaw demonstrates a classic insufficient input validation issue where the application fails to properly sanitize or escape user-supplied data before incorporating it into sql commands. This type of vulnerability falls under the CWE-89 category, which specifically addresses sql injection weaknesses in software applications.
The technical exploitation of this vulnerability occurs when an attacker submits a maliciously crafted "id" parameter value that bypasses normal input validation mechanisms. The application processes this untrusted input directly within sql query construction without proper sanitization, enabling attackers to inject arbitrary sql commands that execute within the database context. This allows for complete database compromise including data extraction, modification, or deletion, potentially leading to unauthorized access to sensitive information stored within the Yeswiki application's database. The vulnerability's impact is particularly severe as it affects the core database functionality of the platform, providing attackers with extensive privileges to manipulate the underlying data structure.
Operationally, this vulnerability presents significant risks to organizations relying on Yeswiki Cercopitheque systems, as successful exploitation can result in complete data breaches and system compromise. Attackers can leverage this flaw to extract confidential information, modify or delete database records, and potentially escalate privileges to gain administrative control over the affected systems. The vulnerability's persistence across multiple versions of the software indicates a fundamental design flaw in the input handling mechanisms, making it particularly dangerous for organizations that have not yet updated to patched versions. This type of vulnerability aligns with ATT&CK technique T1071.004, which covers application layer protocol manipulation, and T1046, covering network service discovery, as attackers may use this vulnerability to explore and expand their access within the network infrastructure.
Mitigation strategies for CVE-2018-13045 must prioritize immediate patch application to the latest available versions of Yeswiki Cercopitheque that address this specific vulnerability. Organizations should implement proper input validation and output encoding mechanisms to prevent similar issues in the future, ensuring that all user-supplied data undergoes rigorous sanitization before database interaction. Database access controls should be implemented to limit the privileges of database accounts used by the application, reducing the potential impact of successful exploitation. Additionally, organizations should deploy web application firewalls and intrusion detection systems to monitor for suspicious sql injection attempts, while conducting regular security assessments and penetration testing to identify and remediate similar vulnerabilities across their entire software portfolio.