cbcvebase.
CVE-2021-3239
published 2021-02-15

CVE-2021-3239: E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web…

PriorityP276critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
17.93%
96.8th percentile
E-Learning System 1.0 suffers from an unauthenticated SQL injection vulnerability, which allows remote attackers to execute arbitrary code on the hosting web server and gain a reverse shell.

Affected

1 ranges
VendorProductVersion rangeFixed in
e-learning_system_projecte-learning_system

Detection & IOCsextracted from sources · hover to see the quote

url/caiwl/lesson.php?id=-1%20UNION%20SELECT%201,2,md5(999999999),4,5
url/lesson.php?id=-1%20UNION%20SELECT%201,2,md5(999999999),4,5
otherc8c605999f3d8352d7bb792cf3fdb25b
  • Detect exploitation attempts by monitoring HTTP GET requests to `lesson.php` (or `caiwl/lesson.php`) containing a UNION SELECT payload with `md5()` in the `id` parameter.
  • Successful exploitation can be confirmed by the presence of the MD5 hash `c8c605999f3d8352d7bb792cf3fdb25b` (md5 of 999999999) in the HTTP response body.
  • Use Shodan/FOFA queries to identify exposed E-Learning System 1.0 instances as potential targets: `http.title:"E-Learning System"` / `title="E-Learning System"`.
  • The exploit requires no authentication — any unauthenticated GET request to the vulnerable endpoint with a UNION-based SQLi payload should be treated as an attack attempt.
  • ·Two path variants exist for the vulnerable endpoint; both should be monitored — one under the `/caiwl/` subdirectory and one at the web root.
  • ·The nuclei template uses `stop-at-first-match: true`, meaning only the first matching path is tested per scan run; detection rules should cover both paths independently.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.