CVE-2021-47766
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-15

Last updated on: 2026-01-15

Assigner: VulnCheck

Description
Kmaleon 1.1.0.205 contains an authenticated SQL injection vulnerability in the 'tipocomb' parameter of kmaleonW.php that allows attackers to manipulate database queries. Attackers can exploit this vulnerability using boolean-based, error-based, and time-based blind SQL injection techniques to potentially extract or manipulate database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-15
Last Modified
2026-01-15
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47766
EUVD
EUVD-2026-2773
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
levelprograms kmaleon 1.1.0.205
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an authenticated SQL injection in the 'tipocomb' parameter of the kmaleonW.php script in Kmaleon version 1.1.0.205. An attacker with valid credentials can inject malicious SQL code through this parameter to manipulate database queries. The injection can be performed using boolean-based, error-based, and time-based blind SQL injection techniques, allowing the attacker to extract or manipulate sensitive database information. [2]

Impact Analysis

Exploiting this vulnerability can allow an authenticated attacker to access, extract, or manipulate sensitive data stored in the backend database of the Kmaleon application. This could lead to unauthorized disclosure of confidential information, data integrity issues, and potentially disrupt the normal operation of the application. [2]

Detection Guidance

This vulnerability can be detected by testing the 'tipocomb' parameter in the kmaleonW.php script for SQL injection using authenticated requests. Example payloads to test include boolean-based, error-based, and time-based SQL injection techniques. Example commands using curl (assuming authentication cookie or credentials are set) could be: 1. Boolean-based test: curl -b 'auth_cookie=your_auth_cookie' 'http://target/kmaleonW.php?tipocomb=-9144 OR 6836=6836' 2. Error-based test: curl -b 'auth_cookie=your_auth_cookie' "http://target/kmaleonW.php?tipocomb= OR (SELECT 8426 FROM(SELECT COUNT(*),CONCAT(0x7176716b71,(SELECT (ELT(8426=8426,1))),0x716a707671,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)" 3. Time-based test: curl -b 'auth_cookie=your_auth_cookie' "http://target/kmaleonW.php?tipocomb= OR (SELECT 2738 FROM (SELECT(SLEEP(5)))EYSv)" Monitoring response differences or delays can indicate the presence of the vulnerability. [2]

Mitigation Strategies

Immediate mitigation steps include: 1. Restrict access to the Kmaleon application to trusted users only, since the vulnerability requires authentication. 2. Apply input validation and parameterized queries or prepared statements on the 'tipocomb' parameter to prevent SQL injection. 3. If a patch or update is available from the vendor, apply it promptly. 4. Monitor logs for suspicious activity related to the 'tipocomb' parameter. 5. Consider temporarily disabling or restricting the vulnerable functionality until a fix is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47766. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart