CVE-2021-34187
published 2021-06-28CVE-2021-34187: main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.58%
96.4th percentile
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| chamilo | chamilo | <= 1.11.14 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+md5({{num}}))),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0
url/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+extractvalue(0x0a,concat(0x0a,(md5({{num}})))))),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0
- →Exploit targets the 'searchField' parameter with UNION-based SQL injection payload using double-closing parentheses breakout: `1))and(1) UNION ALL SELECT CONCAT(...),NULL,NULL,NULL-- -`
- →Error-based SQL injection variant uses MySQL's extractvalue() with 0x0a (newline) to leak data via XPATH error messages in the same endpoint
- →Successful exploitation returns an md5 hash value in a JSON response body (Content-Type: application/json); detection can match the expected md5 of a known numeric canary in the HTTP response body
- →The vulnerable action parameter is `a=get_sessions_tracking`; monitor GET requests to model.ajax.php with this action combined with `_search=1` and SQL metacharacters in searchField/filters/filters2
- →Chamilo LMS instances can be fingerprinted via the HTTP response header `X-Powered-By: Chamilo` for asset discovery prior to exploitation
- →The attack is unauthenticated (PR:N) and network-reachable (AV:N); no session cookie or prior authentication is required to trigger the SQL injection
- ·Vulnerability affects Chamilo versions up to and including 1.11.14 only; 1.11.15+ is patched ↗
- ·The Nuclei template uses a numeric canary variable (`num: 999999999`) and matches its md5 in the response; detection logic depends on the database executing the injected SELECT and reflecting the result in JSON output
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-rqcc-mmff-6m92: main/inc/ajax/model
ghsa_unreviewed·2022-05-24
CVE-2021-34187 [CRITICAL] CWE-89 GHSA-rqcc-mmff-6m92: main/inc/ajax/model
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
VulnCheck
chamilo chamilo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
vulncheck·2021·CVSS 9.8
CVE-2021-34187 [CRITICAL] chamilo chamilo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
chamilo chamilo Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
Affected: chamilo chamilo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2023-12-02&host_type=src&vulnerability=cve-2021-34187; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-22&host_type=src&vulnerability=cve-2021-34187; https://dashboard.shadowserver.org/statistics/honeypot/vulnerability/map/?day=2024-01-24&hos
No detection rules found.
Nuclei
Chamilo model.ajax.php - SQL Injection
nuclei·CVSS 9.8
CVE-2021-34187 [CRITICAL] Chamilo model.ajax.php - SQL Injection
Chamilo model.ajax.php - SQL Injection
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
Template:
id: CVE-2021-34187
info:
name: Chamilo model.ajax.php - SQL Injection
author: DhiyaneshDK
severity: critical
description: |
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.
impact: |
Unauthenticated attackers can exploit SQL injection via multiple parameters to extract database contents, potentially exposing all Chamilo LMS data including user credentials.
remediation: |
Upgrade to Chamilo version 1.11.15 or later.
reference:
- https://murat.one/?p=118
- https://nvd.nist.gov/vuln/detail/CVE-2021-34187
classification:
cvss-metrics:
No writeups or analysis indexed.
https://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59https://github.com/chamilo/chamilo-lms/commit/f7f93579ed64765c2667910b9c24d031b0a00571https://murat.one/?p=118https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injectionhttps://github.com/chamilo/chamilo-lms/commit/005dc8e9eccc6ea35264064ae09e2e84af8d5b59https://github.com/chamilo/chamilo-lms/commit/f7f93579ed64765c2667910b9c24d031b0a00571https://murat.one/?p=118https://support.chamilo.org/projects/1/wiki/Security_issues#Issue-67-2021-05-27-High-impact-very-high-risk-Unauthenticated-SQL-injection
2021-06-28
Published
Exploited in the wild