CVE-2021-47704
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-09

Last updated on: 2025-12-09

Assigner: VulnCheck

Description
OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious 'id' values to extract database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-09
Last Modified
2025-12-09
Generated
2026-06-16
AI Q&A
2025-12-09
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47704
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openbmcs openbmcs 2.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an SQL injection in OpenBMCS 2.4 that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Specifically, attackers can send malicious GET requests to the /debug/obix_test.php endpoint with crafted 'id' parameters to extract information from the database.

Impact Analysis

This vulnerability can allow attackers to extract sensitive database information by exploiting the SQL injection flaw. This could lead to unauthorized access to data, data leakage, and potentially further compromise of the system depending on the data accessed.

Compliance Impact

The provided resources do not explicitly discuss how this SQL injection vulnerability in OpenBMCS 2.4 affects compliance with common standards and regulations such as GDPR or HIPAA. However, since the vulnerability allows unauthorized access and extraction of sensitive database information, it could potentially lead to violations of data protection regulations by exposing personal or sensitive data. This could impact compliance with standards that require protection of confidential information. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring for authenticated GET requests to the /debug/obix_test.php endpoint with suspicious or malformed 'id' parameters that could indicate SQL injection attempts. One way to detect it is by analyzing web server logs for such requests. Additionally, sending crafted GET requests with various 'id' values and observing for SQL errors or unexpected responses can help confirm the vulnerability. For example, using curl to send a test request: curl -i -b cookie.txt 'http://target/debug/obix_test.php?id=1"' (where cookie.txt contains authenticated session cookies) may trigger SQL errors indicating injection points. Monitoring for PDOException errors or SQL syntax errors in application logs can also help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the /debug/obix_test.php endpoint to only trusted and authenticated users, applying input validation and sanitization on the 'id' parameter to prevent SQL injection, and updating or patching OpenBMCS to a version where this vulnerability is fixed if available. Additionally, monitoring logs for suspicious activity and limiting privileges of authenticated users to reduce potential impact are recommended. [1, 2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47704. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart