CVE-2021-47811
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-16

Last updated on: 2026-02-02

Assigner: VulnCheck

Description
Grocery Crud 1.6.4 contains a SQL injection vulnerability in the order_by parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the order_by[] parameter in POST requests to the ajax_list endpoint to potentially extract or modify database information.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-16
Last Modified
2026-02-02
Generated
2026-06-16
AI Q&A
2026-01-16
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47811
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
grocery_crud grocery_crud to 2.0.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2021-47811 is a SQL injection vulnerability in Grocery Crud version 1.6.4 and earlier. It occurs in the 'order_by' parameter used in POST requests to the ajax_list endpoint. Attackers can inject malicious SQL code through the order_by[] parameter because it does not properly sanitize user input. This allows remote attackers to manipulate database queries, potentially extracting or modifying sensitive database information. [1, 3]

Impact Analysis

This vulnerability can allow remote attackers to execute unauthorized SQL commands on the database used by Grocery Crud. As a result, attackers may extract sensitive data or modify database contents without authorization. This can lead to data breaches, loss of data integrity, and exposure of confidential information. [1, 3]

Detection Guidance

This vulnerability can be detected by monitoring HTTP POST requests to the ajax_list endpoint that include the order_by[] parameter. Specifically, you can look for suspicious or malformed SQL injection payloads in the order_by[] parameter within POST requests with content type application/x-www-form-urlencoded. A proof-of-concept exploit involves sending crafted POST requests to /path/to/ajax_list with manipulated order_by[] values to trigger SQL errors or extract database information. Using tools like curl or Burp Suite, you can send test POST requests to check if the endpoint is vulnerable. For example, a curl command to test might be: curl -X POST -d 'order_by[]=1 UNION SELECT NULL-- ' http://target/path/to/ajax_list -H 'Content-Type: application/x-www-form-urlencoded'. Monitoring web server logs for such requests or using intrusion detection systems to flag unusual order_by[] parameter usage can also help detect exploitation attempts. [1, 3]

Mitigation Strategies

Immediate mitigation steps include upgrading Grocery CRUD to version 2.0.1 or later, where this SQL injection vulnerability in the order_by parameter is fixed. If upgrading is not immediately possible, implement input validation and sanitization on the order_by[] parameter to prevent injection of malicious SQL code. Additionally, restrict access to the ajax_list endpoint to trusted users or networks, and monitor for suspicious POST requests targeting this endpoint. Applying web application firewall (WAF) rules to block SQL injection patterns in the order_by[] parameter can also help mitigate exploitation attempts. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47811. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart