CVE-2021-47846
Unknown Unknown - Not Provided
SQL Injection in Digital Crime Report System Enables Auth Bypass

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
Digital Crime Report Management System 1.0 contains a critical SQL injection vulnerability affecting multiple login pages that allows unauthenticated attackers to bypass authentication. Attackers can exploit the vulnerability by sending crafted SQL injection payloads in email and password parameters across police, incharge, user, and HQ login endpoints.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-14
NVD
CVE-2021-47846
EUVD
EUVD-2026-3637
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
unknown_vendor digital_crime_report_management_system 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a critical SQL injection flaw in the Digital Crime Report Management System 1.0 that affects multiple login pages. Attackers can send specially crafted SQL injection payloads in the email and password fields of police, incharge, user, and HQ login endpoints. This allows them to manipulate the SQL queries used for authentication, bypassing login checks without valid credentials and gaining unauthorized access to the system. [2, 4]

Impact Analysis

The vulnerability allows unauthenticated attackers to bypass authentication and gain unauthorized access to the Digital Crime Report Management System. This can lead to exposure of sensitive data, unauthorized actions within the system, and potential compromise of the integrity of crime report management processes. Since attackers do not need any privileges or user interaction to exploit this, it poses a high security risk. [2, 4]

Detection Guidance

This vulnerability can be detected by testing the login endpoints (policelogin.php, inchargelogin.php, userlogin.php, headlogin.php) for SQL injection by sending crafted SQL payloads in the 'email' and 'password' POST parameters. For example, you can use curl commands to send payloads like: curl -X POST -d "email='or''='&password='or''='&s=" http://targetsite/policelogin.php and observe if authentication is bypassed. Detection involves checking if the system allows login without valid credentials by manipulating SQL queries through these parameters. [4]

Mitigation Strategies

Immediate mitigation steps include implementing proper input validation and sanitization on all login endpoints, using prepared statements or parameterized queries to prevent SQL injection, and restricting access to these endpoints if possible. Additionally, monitoring and blocking suspicious requests containing SQL injection payloads can help reduce exploitation risk until a patch or update is applied. [4, 2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart