CVE-2021-47811
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-02-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| grocery_crud | grocery_crud | to 2.0.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2021-47811 is a SQL injection vulnerability in Grocery Crud version 1.6.4 and earlier. It occurs in the 'order_by' parameter used in POST requests to the ajax_list endpoint. Attackers can inject malicious SQL code through the order_by[] parameter because it does not properly sanitize user input. This allows remote attackers to manipulate database queries, potentially extracting or modifying sensitive database information. [1, 3]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute unauthorized SQL commands on the database used by Grocery Crud. As a result, attackers may extract sensitive data or modify database contents without authorization. This can lead to data breaches, loss of data integrity, and exposure of confidential information. [1, 3]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring HTTP POST requests to the ajax_list endpoint that include the order_by[] parameter. Specifically, you can look for suspicious or malformed SQL injection payloads in the order_by[] parameter within POST requests with content type application/x-www-form-urlencoded. A proof-of-concept exploit involves sending crafted POST requests to /path/to/ajax_list with manipulated order_by[] values to trigger SQL errors or extract database information. Using tools like curl or Burp Suite, you can send test POST requests to check if the endpoint is vulnerable. For example, a curl command to test might be: curl -X POST -d 'order_by[]=1 UNION SELECT NULL-- ' http://target/path/to/ajax_list -H 'Content-Type: application/x-www-form-urlencoded'. Monitoring web server logs for such requests or using intrusion detection systems to flag unusual order_by[] parameter usage can also help detect exploitation attempts. [1, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading Grocery CRUD to version 2.0.1 or later, where this SQL injection vulnerability in the order_by parameter is fixed. If upgrading is not immediately possible, implement input validation and sanitization on the order_by[] parameter to prevent injection of malicious SQL code. Additionally, restrict access to the ajax_list endpoint to trusted users or networks, and monitor for suspicious POST requests targeting this endpoint. Applying web application firewall (WAF) rules to block SQL injection patterns in the order_by[] parameter can also help mitigate exploitation attempts. [2, 3]