cbcvebase.
CVE-2021-34187
published 2021-06-28

CVE-2021-34187: main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.

PriorityP182critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
15.58%
96.4th percentile
main/inc/ajax/model.ajax.php in Chamilo through 1.11.14 allows SQL Injection via the searchField, filters, or filters2 parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
chamilochamilo<= 1.11.14

Detection & IOCsextracted from sources · hover to see the quote

path/main/inc/ajax/model.ajax.php
url/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+md5({{num}}))),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0
url/main/inc/ajax/model.ajax.php?a=get_sessions_tracking&work_id=1&rows=0&page=1&sidx=0&sord=test&_search=1&searchField=1))and(1)%20UNION%20ALL%20SELECT%20CONCAT((select+extractvalue(0x0a,concat(0x0a,(md5({{num}})))))),NULL,NULL,NULL--%20-)and((1=&searchOper=ni&searchString=testx&filters2={}&from_course_session=0
  • Exploit targets the 'searchField' parameter with UNION-based SQL injection payload using double-closing parentheses breakout: `1))and(1) UNION ALL SELECT CONCAT(...),NULL,NULL,NULL-- -`
  • Error-based SQL injection variant uses MySQL's extractvalue() with 0x0a (newline) to leak data via XPATH error messages in the same endpoint
  • Successful exploitation returns an md5 hash value in a JSON response body (Content-Type: application/json); detection can match the expected md5 of a known numeric canary in the HTTP response body
  • The vulnerable action parameter is `a=get_sessions_tracking`; monitor GET requests to model.ajax.php with this action combined with `_search=1` and SQL metacharacters in searchField/filters/filters2
  • Chamilo LMS instances can be fingerprinted via the HTTP response header `X-Powered-By: Chamilo` for asset discovery prior to exploitation
  • The attack is unauthenticated (PR:N) and network-reachable (AV:N); no session cookie or prior authentication is required to trigger the SQL injection
  • ·Vulnerability affects Chamilo versions up to and including 1.11.14 only; 1.11.15+ is patched
  • ·The Nuclei template uses a numeric canary variable (`num: 999999999`) and matches its md5 in the response; detection logic depends on the database executing the injected SELECT and reflecting the result in JSON output

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.