cbcvebase.
CVE-2021-37589
published 2022-06-07

CVE-2021-37589: Virtua Cobranca before 12R allows SQL Injection on the login page.

PriorityP266high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
EXPLOIT
EPSS
29.67%
98.0th percentile
Virtua Cobranca before 12R allows SQL Injection on the login page.

Affected

1 ranges
VendorProductVersion rangeFixed in
virtuasoftwarecobranca< 12r12r

Detection & IOCsextracted from sources · hover to see the quote

url/controller/login.php?acao=autenticar
url/controller/origemdb.php?idselorigem=ATIVOS
commandidusuario='&idsenha=awesome_and_unprobaly_password&tipousr=Usuario
commandidusuario='+AND+'1'='1'--&idsenha=a&tipousr=Usuario
otherhttp.favicon.hash:876876147
othericon_hash=876876147
path/controller/login.php
  • HTTP 500 response to a login POST with a single quote in the idusuario parameter indicates unsanitized SQL injection point; a follow-up request with balanced SQL syntax returns HTTP 200, confirming blind SQLi.
  • Detection condition: status_code_2 == 500 (malformed quote payload) AND status_code_3 == 200 (balanced quote payload) on the login endpoint confirms exploitation.
  • Response body containing the Portuguese error strings 'Os parametros não estão informados corretamente' or 'O CNPJ dos parametro não está informado corretamente' in the third request confirms successful blind SQLi probe.
  • The X-Requested-With: XMLHttpRequest header is required in the login POST requests for the injection to be processed correctly.
  • Exploit uses sqlmap against the idusuario POST parameter targeting a Firebird DBMS backend.
  • ·The vulnerability is unauthenticated and requires no prior session; the PHPSESSID and origem_selecionado cookies are empty in the PoC, meaning no valid session is needed to exploit.
  • ·The NVD advisory states the vulnerable version is 'before 12R', while the Exploit-DB PoC was tested against version 12S, suggesting the vulnerability persisted beyond the initially reported boundary version.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.