cbcvebase.
CVE-2021-42667
published 2021-11-05

CVE-2021-42667: A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage…

PriorityP269critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
15.81%
96.5th percentile
A SQL Injection vulnerability exists in Sourcecodester Online Event Booking and Reservation System in PHP in event-management/views. An attacker can leverage this vulnerability in order to manipulate the sql query performed. As a result he can extract sensitive data from the web server and in some cases he can use this vulnerability in order to get a remote code execution on the remote web server.

Affected

1 ranges
VendorProductVersion rangeFixed in
online_event_booking_and_reservation_system_projectonline_event_booking_and_reservation_system

Detection & IOCsextracted from sources · hover to see the quote

url/views/?v=USER&ID=1%20UNION%20ALL%20SELECT%20NULL%2CNULL%2CNULL%2Cmd5(999999999)%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%3B--%20-
path/event-management/views
command1 UNION ALL SELECT NULL,NULL,NULL,md5(999999999),NULL,NULL,NULL,NULL,NULL;-- -
  • Detect exploitation attempts by monitoring GET requests to /views/ containing UNION ALL SELECT and md5() patterns in the ID parameter, indicative of blind/union-based SQL injection probing.
  • Exploitation is authenticated — attacker first POSTs credentials to /login.php before issuing the SQLi payload to /views/?v=USER&ID=...; correlate login events with subsequent injection requests from the same source IP.
  • Response body match for the MD5 hash of the injected numeric constant (999999999) confirms successful UNION-based SQL injection; monitor HTTP 200 responses from /views/ containing 32-character hex strings matching md5(999999999) = '52c69e3a57331081823331c4e69d3f2e'.
  • The vulnerable parameter is 'ID' in the query string of /views/ with the 'v' parameter set to 'USER'; alert on URL-encoded SQL keywords (UNION, SELECT, NULL, md5) appearing in the ID parameter value.
  • ·Exploitation requires prior authentication — the attacker must obtain valid credentials and establish a session via /login.php before the SQLi payload in /views/ is reachable.
  • ·The Nuclei template uses host-redirects with max-redirects: 2, meaning the application may issue redirects after login; detection rules must account for redirect chains before the payload request is issued.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.