CVE-2021-44599
Last modified
CVE-2021-44599 is a high-severity vulnerability rated 7.5/10 on the CVSS scale. The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks. A crafted payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. EPSS estimates a 1.21% chance of exploitation in the next 30 days.
Description
The id parameter from Online Enrollment Management System 1.0 system appears to be vulnerable to SQL injection attacks. A crafted payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed. The attacker can retrieve sensitive information for all users of this system.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Online Enrollment Management System Project | Online Enrollment Management System | 1.0 |
References
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/janobe/Online-Enrollment-Management-SystemExploit, Third Party Advisory
- https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/janobe/Online-Enrollment-Management-SystemExploit, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2021-44599?
How severe is CVE-2021-44599?
How do I fix CVE-2021-44599?
Are you affected by CVE-2021-44599?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST