CVE
CVE-2021-47811
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries.
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the orderby parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the orderby[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information.
Package Versions Affected
Package Version
patch Availability
No items found.
Automatically patch vulnerabilities without upgrading
Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request
CVSS Version
Severity
Base Score
CVSS Version
Score Vector
C
H
U
8.8
-
4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
C
H
U
-
Related Resources
No items found.
References
https://www.grocerycrud.com/, https://www.grocerycrud.com/downloads, https://www.vulncheck.com/advisories/grocery-crud-orderby-sql-injection, https://www.exploit-db.com/exploits/49985
Basic Information
Ecosystem
