cbcvebase.
CVE-2021-44567
published 2022-02-24

CVE-2021-44567: An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.

PriorityP272critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
23.67%
97.5th percentile
An unauthenticated SQL Injection vulnerability exists in RosarioSIS before 7.6.1 via the votes parameter in ProgramFunctions/PortalPollsNotes.fnc.php.

Affected

2 ranges
VendorProductVersion rangeFixed in
francoisjacquetrosariosis>= 0 < 7.6.17.6.1
rosariosisrosariosis< 7.6.17.6.1

Detection & IOCsextracted from sources · hover to see the quote

url/ProgramFunctions/PortalPollsNotes.fnc.php
commandvotes['; CREATE TABLE aaa(t text) --]=1
  • Detect exploitation attempts by inspecting POST requests to /ProgramFunctions/PortalPollsNotes.fnc.php that include the HTTP header 'X-Requested-With: XMLHttpRequest' and a 'votes' parameter containing SQL metacharacters (e.g., single quotes, double dashes, SQL keywords like CREATE/DROP/SELECT).
  • The injection is delivered via the 'votes' POST parameter as an array key (e.g., votes[<payload>]=1). WAF/IDS rules should parse array-key notation in POST bodies and apply SQL injection detection to both keys and values of the 'votes' parameter.
  • The vulnerable code path requires: votes is a POST array, X-Requested-With equals XMLHttpRequest, and the votes array is non-empty. All three conditions must be met for the injection to reach PortalPollsVote(). Alert on any POST to this endpoint with these conditions and SQL-like content in array keys.
  • ·The vulnerability is unauthenticated — no session or login cookie is required to reach the vulnerable endpoint, meaning perimeter controls relying on authentication state will not block exploitation.
  • ·The SQL injection payload is embedded in the array *key* of the votes parameter (not the value), which may bypass WAF/IDS rules that only inspect POST parameter values and not parameter names or array keys.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.