CVE-2021-47704
BaseFortify
Publication date: 2025-12-09
Last updated on: 2025-12-09
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openbmcs | openbmcs | 2.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources do not explicitly discuss how this SQL injection vulnerability in OpenBMCS 2.4 affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized access and extraction of sensitive database information, it could potentially lead to violations of data protection regulations by exposing personal or sensitive data. This could impact compliance with standards that require protection of confidential information. [1, 2, 3]
Can you explain this vulnerability to me?
This vulnerability is an SQL injection in OpenBMCS 2.4 that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Specifically, attackers can send malicious GET requests to the /debug/obix_test.php endpoint with crafted 'id' parameters to extract information from the database.
How can this vulnerability impact me? :
This vulnerability can allow attackers to extract sensitive database information by exploiting the SQL injection flaw. This could lead to unauthorized access to data, data leakage, and potentially further compromise of the system depending on the data accessed.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for authenticated GET requests to the /debug/obix_test.php endpoint with suspicious or malformed 'id' parameters that could indicate SQL injection attempts. One way to detect it is by analyzing web server logs for such requests. Additionally, sending crafted GET requests with various 'id' values and observing for SQL errors or unexpected responses can help confirm the vulnerability. For example, using curl to send a test request: curl -i -b cookie.txt 'http://target/debug/obix_test.php?id=1"' (where cookie.txt contains authenticated session cookies) may trigger SQL errors indicating injection points. Monitoring for PDOException errors or SQL syntax errors in application logs can also help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /debug/obix_test.php endpoint to only trusted and authenticated users, applying input validation and sanitization on the 'id' parameter to prevent SQL injection, and updating or patching OpenBMCS to a version where this vulnerability is fixed if available. Additionally, monitoring logs for suspicious activity and limiting privileges of authenticated users to reduce potential impact are recommended. [1, 2, 3]