CVE-2021-28242
published 2021-04-15CVE-2021-28242: SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL…
PriorityP261high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
4.96%
91.1th percentile
SQL Injection in the "evoadm.php" component of b2evolution v7.2.2-stable allows remote attackers to obtain sensitive database information by injecting SQL commands into the "cf_name" parameter when creating a new filter under the "Collections" tab.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| b2evolution | b2evolution | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT+*+FROM+%60evo_users%60+ORDER+BY+%60evo_&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections↗
urlhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_blogs`%20ORDER%20BY%20`evo_blogs`.`blog_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections↗
urlhttp://192.168.1.3/b2evolution/evoadm.php?colselect_submit=&cf_name=SELECT%20*%20FROM%20`evo_section`%20ORDER%20BY%20`evo_section`.`sec_name`&cf_owner=&cf_type=&blog_filter_preset=custom&ctrl=collections↗
- →Monitor HTTP GET requests to evoadm.php where the 'cf_name' parameter contains SQL keywords (SELECT, FROM, ORDER BY) or URL-encoded equivalents, combined with ctrl=collections and blog_filter_preset=custom query parameters. ↗
- →Look for requests targeting internal b2evolution table names in the cf_name parameter: evo_users, evo_blogs, evo_section — these are the specific tables enumerated by the exploit. ↗
- →The exploit requires an authenticated session (admin credentials); correlate suspicious evoadm.php SQL injection attempts with prior login events to the b2evolution admin panel at index.php?disp=login. ↗
- ·The exploit is authenticated — it requires valid admin credentials before the SQL injection payload is delivered. Detection rules should account for the fact that the attacker will have an active authenticated session, making the malicious requests appear as legitimate admin activity. ↗
- ·The exploit is delivered via HTTP GET parameters (not POST body), so WAF/IDS rules must inspect the GET query string of requests to evoadm.php, specifically the cf_name parameter, for SQL injection patterns. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.htmlhttps://deadsh0t.medium.com/authenticated-boolean-based-blind-error-based-sql-injection-b752225f0644https://github.com/b2evolution/b2evolution/issues/109http://packetstormsecurity.com/files/162489/b2evolution-7-2-2-SQL-Injection.htmlhttps://deadsh0t.medium.com/authenticated-boolean-based-blind-error-based-sql-injection-b752225f0644https://github.com/b2evolution/b2evolution/issues/109
2021-04-15
Published