Vulnerability CVE-2021-37806


Published: 2021-10-27

Description:
An SQL Injection vulnerability exists in https://phpgurukul.com Vehicle Parking Management System affected version 1.0. The system is vulnerable to time-based SQL injection on multiple endpoints. Based on the SLEEP(N) function payload that will sleep for a number of seconds used on the (1) editid , (2) viewid, and (3) catename parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database.

Type:

CWE-89

(Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'))

CVSS2 => (AV:N/AC:M/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4.3/10
2.9/10
8.6/10
Exploit range
Attack complexity
Authentication
Remote
Medium
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
Vehicle parking management system project -> Vehicle parking management system 

 References:
https://packetstormsecurity.com/files/163626/Vehicle-Parking-Management-System-1.0-SQL-Injection.html
https://streamable.com/rfcchi
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-37806

Copyright 2024, cxsecurity.com

 

Back to Top