cbcvebase.
CVE-2021-41649
published 2021-10-01

CVE-2021-41649: An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
51.77%
98.8th percentile
An un-authenticated SQL Injection exists in PuneethReddyHC online-shopping-system-advanced through the /homeaction.php cat_id parameter. Using a post request does not sanitize the user input.

Detection & IOCsextracted from sources · hover to see the quote

path/homeaction.php
commandPOST /homeaction.php body: cat_id=4'&get_seleted_Category=1
  • Send a POST request to /homeaction.php with a SQL-injected cat_id parameter (e.g., cat_id=4') and look for PHP/mysqli error strings in the response body to confirm exploitation.
  • The vulnerability is unauthenticated and triggered via HTTP POST; no session or authentication token is required to exploit the cat_id parameter in /homeaction.php.
  • A 200 HTTP status code combined with the mysqli error string in the body is a reliable indicator of successful SQL injection triggering on this endpoint.
  • ·The Nuclei template targets {{BaseURL}}/homeaction.php with a single POST request (max-request: 1); detection relies on error-based SQL injection response disclosure, meaning hardened or error-suppressed deployments may not return the triggering strings.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.