Attacker Value
Very High
(1 user assessed)
Exploitability
Very High
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Network
2

CVE-2021-33470

Disclosure Date: May 26, 2021
CVE-2021-33470 CVSS v3 Base Score: 9.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Execution
Techniques
Validation
Validated
Validated
Validated

Description

COVID19 Testing Management System 1.0 is vulnerable to SQL Injection via the admin panel.

Add Assessment

1
Ratings
  • Attacker Value
    Very High
  • Exploitability
    Very High
Common in enterpriseEasy to weaponizeGives privileged accessVulnerable in default configuration
Technical Analysis

CTMS

Vendor

Description:

The parameters username and contactno from COVID 19 Testing Management System (CTMS) 1.0 are vulnerable to Remote Code SQL injection attacks.
Test REQUESTS: Payloads 27325265’ or 8079=8079— and 35638130’ or 9157=9162—.
These two requests resulted in different responses, indicating that the input is being incorporated into a SQL query in an unsafe way.
The attacker can execute a Remote Code Injection to override the current password for the admin account directly from the broadcast networks!
Status Critical and awful.
BR nu11secur1ty

Reproduce:

href

Proof:

href

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
9.8 Critical
Impact Score:
5.9
Exploitability Score:
3.9
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
n/a
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • phpgurukul

Products

  • covid19 testing management system 1.0
Technical Analysis