CRITICALCVE-2018-3783CVSS 9.8

CVE-2018-3783: SQL Injection in flintcms

Platform

nodejs

Component

flintcms

Fixed in

1.1.10

AI Confidence: highNVDEPSS 4.8%Reviewed: May 2026

View on NVD

Save

CVE-2018-3783 is a critical SQL Injection vulnerability affecting versions of flintcms before 1.1.10. This flaw allows attackers to perform blind MongoDB injection during the password reset process, potentially leading to complete account takeover. The vulnerability was published on August 21, 2018, and a fix is available in version 1.1.10.

Impact and Attack Scenarios

The impact of CVE-2018-3783 is significant due to the potential for complete account takeover. An attacker exploiting this vulnerability can bypass authentication and gain unauthorized access to sensitive user data, including personal information, financial details, and potentially administrative privileges. The blind MongoDB injection technique allows attackers to extract data without directly observing the results of their queries, making detection more difficult. This vulnerability resembles other database injection attacks where attackers manipulate database queries to gain unauthorized access.

Exploitation Context

CVE-2018-3783 was publicly disclosed on August 21, 2018. While no active exploitation campaigns have been definitively linked to this specific vulnerability, the severity and ease of exploitation make it a potential target. No public proof-of-concept exploits have been widely published, but the technique of blind MongoDB injection is well-understood, increasing the likelihood of exploitation if the vulnerability remains unpatched.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown

CISA KEVNO

Internet ExposureHigh

EPSS

4.78% (89% percentile)

CVSS Vector

Affected Software

Componentflintcms

Vendorosv

Affected rangeFixed in

—1.1.10

Timeline

Published2018-08-21
Modified2023-11-08
EPSS updated2026-04-02

Mitigation and Workarounds

The primary mitigation for CVE-2018-3783 is to immediately upgrade to version 1.1.10 or later of flintcms. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting access to the password reset functionality or implementing stricter input validation on the password reset form. While a WAF might offer some protection, it is not a substitute for patching. After upgrading, confirm the fix by attempting a password reset and verifying that the database queries are properly sanitized.

How to fix

No official patch available. Check for workarounds or monitor for updates.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2018-3783 — SQL Injection in flintcms?

CVE-2018-3783 is a critical SQL Injection vulnerability in flintcms versions before 1.1.10, allowing attackers to exploit a blind MongoDB injection during password reset.

Am I affected by CVE-2018-3783 in flintcms?

If you are using a version of flintcms older than 1.1.10, you are vulnerable to this SQL Injection attack.

How do I fix CVE-2018-3783 in flintcms?

Upgrade to version 1.1.10 or later of flintcms to resolve this vulnerability. Consider temporary workarounds if immediate upgrade is not possible.

Is CVE-2018-3783 being actively exploited?

While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation make it a potential target.

Where can I find the official flintcms advisory for CVE-2018-3783?

Refer to the flintcms project's official website or security advisories for the most up-to-date information and announcements regarding CVE-2018-3783.