CVE-2021-37808

Description

SQL Injection vulnerabilities exist in https://phpgurukul.com News Portal Project 3.1 via the (1) category, (2) subcategory, (3) sucatdescription, and (4) username parameters, the server response is about (N) seconds delay respectively which mean it is vulnerable to MySQL Blind (Time Based). An attacker can use sqlmap to further the exploitation for extracting sensitive information from the database.

Related CPE's

anews_portal_projectnews_portal3.1*******

References

https://packetstormsecurity.com/files/163575/News-Portal-Project-3.1-SQL-Injection.html

Third Party AdvisoryVDB Entry

https://www.nu11secur1ty.com/2021/12/cve-2021-37808.html

ExploitThird Party Advisory

https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-37808

ExploitThird Party Advisory

CvssV3 impact

Version

3.1

VectorString

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

AttackVector

NETWORK

AttackComplexity

HIGH

PrivilegesRequired

NONE

UserInteraction

NONE

Scope

UNCHANGED

ConfidentialityImpact

HIGH

IntegrityImpact

NONE

AvailabilityImpact

NONE

BaseScore

5.9

BaseSeverity

MEDIUM

CvssV2 impact

Version

2.0

VectorString

AV:N/AC:M/Au:N/C:P/I:N/A:N

AccessVector

NETWORK

AccessComplexity

MEDIUM

Authentication

NONE

ConfidentialityImpact

PARTIAL

IntegrityImpact

NONE

AvailabilityImpact

NONE

BaseScore

4.300000190734863

Created by Yello
About Severity.io