cbcvebase.
CVE-2021-44655
published 2021-12-15

CVE-2021-44655: Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be…

PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.97%
92.4th percentile
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.

Affected

1 ranges
VendorProductVersion rangeFixed in
online_pre-ownedused_car_showroom_management_system_project_online_pre-owned_used_car_showroom_m

Detection & IOCsextracted from sources · hover to see the quote

url/used_car_showroom/classes/Login.php?f=login
path/used_car_showroom/admin/login.php
commandusername='+or+1%3D1+limit+1+--+-%2B&password=aaaa
  • Detect POST requests to the vulnerable login endpoint /used_car_showroom/classes/Login.php with the query parameter f=login, especially containing SQL injection payloads in the username field (e.g., ' or 1=1 limit 1 -- -).
  • Flag POST body content containing classic SQLi authentication bypass patterns such as OR 1=1 with comment sequences (-- -) in the username parameter targeting this application.
  • Look for requests with X-Requested-With: XMLHttpRequest header combined with Content-Type: application/x-www-form-urlencoded targeting the Login.php endpoint, indicating AJAX-based exploitation of the login form.
  • ·The exploit was tested on localhost; in real deployments the application root path /used_car_showroom/ may differ, so detection rules should account for variable base paths.
  • ·The vulnerability affects specifically version 1.0 of Online Pre-owned/Used Car Showroom Management System; confirm version before applying targeted detections.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.