cbcvebase.
CVE-2021-43510
published 2022-02-01

CVE-2021-43510: SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.

PriorityP265critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
7.51%
93.7th percentile
SQL Injection vulnerability exists in Sourcecodester Simple Client Management System 1.0 via the username field in login.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
simple_client_management_system_projectsimple_client_management_system

Detection & IOCsextracted from sources · hover to see the quote

url/classes/Login.php?f=login
commandusername=admin'+or+'1'%3d'1'--+-&password=as
path/classes/Login.php
  • Exploit sends a POST request to /classes/Login.php?f=login with a SQL injection payload in the username field; a successful auth-bypass response contains the JSON string {"status":"success"}
  • After successful SQL injection auth-bypass, the attacker's browser is redirected to a page containing the string 'Welcome to Simple Client', confirming full session establishment
  • The Content-Type of the POST request to the vulnerable endpoint is application/x-www-form-urlencoded; monitor for SQL injection patterns (OR '1'='1') in the username parameter of this endpoint
  • The vulnerability is in the username field of login.php; any unauthenticated POST to /classes/Login.php?f=login with classic OR-based SQLi tautology payloads should be flagged
  • ·The Nuclei template requires two sequential requests: the first POST to /classes/Login.php?f=login (injection), and a second GET to / to confirm session establishment. Both conditions must be met (AND logic) for a true positive match.
  • ·Detection is scoped to Sourcecodester Simple Client Management System version 1.0 only; the CPE is cpe:2.3:a:simple_client_management_system_project:simple_client_management_system:1.0

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.