CVE-2021-44655
published 2021-12-15CVE-2021-44655: Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be…
PriorityP262critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.97%
92.4th percentile
Online Pre-owned/Used Car Showroom Management System 1.0 contains a SQL injection authentication bypass vulnerability. Admin panel authentication can be bypassed due to SQL injection vulnerability in the login form allowing attacker to get admin access on the application.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| online_pre-owned | used_car_showroom_management_system_project_online_pre-owned_used_car_showroom_m | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to the vulnerable login endpoint /used_car_showroom/classes/Login.php with the query parameter f=login, especially containing SQL injection payloads in the username field (e.g., ' or 1=1 limit 1 -- -). ↗
- →Flag POST body content containing classic SQLi authentication bypass patterns such as OR 1=1 with comment sequences (-- -) in the username parameter targeting this application. ↗
- →Look for requests with X-Requested-With: XMLHttpRequest header combined with Content-Type: application/x-www-form-urlencoded targeting the Login.php endpoint, indicating AJAX-based exploitation of the login form. ↗
- ·The exploit was tested on localhost; in real deployments the application root path /used_car_showroom/ may differ, so detection rules should account for variable base paths. ↗
- ·The vulnerability affects specifically version 1.0 of Online Pre-owned/Used Car Showroom Management System; confirm version before applying targeted detections. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44655https://www.exploit-db.com/exploits/50560https://www.nu11secur1ty.com/2021/12/cve-2021-44655.htmlhttps://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-44655https://www.exploit-db.com/exploits/50560https://www.nu11secur1ty.com/2021/12/cve-2021-44655.html
2021-12-15
Published