CVE-2021-47848
Unknown Unknown - Not Provided
SQL Injection in Blitar Tourism 1.0 Enables Admin Bypass

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-06-16
AI Q&A
2026-01-21
EPSS Evaluated
2026-06-15
NVD
CVE-2021-47848
EUVD
EUVD-2026-3648
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
satndy aplikasi-biro-travel 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Blitar Tourism 1.0 is an authentication bypass caused by SQL injection. Attackers can inject malicious SQL code into the username parameter during login, manipulating the SQL query to bypass password verification and gain unauthorized administrative access without valid credentials. [1, 2]

Impact Analysis

The vulnerability allows attackers to bypass authentication and gain unauthorized administrative access to the Blitar Tourism application. This can lead to unauthorized control over administrative functions, potentially compromising sensitive data and the integrity of the system. [1, 2]

Detection Guidance

This vulnerability can be detected by attempting to exploit the SQL injection in the username parameter of the login POST request to the /travel/Admin/ endpoint. For example, sending a crafted POST request with the payload username=admin'%23&password=admin&Login=Log+in can test if authentication bypass is possible. Network monitoring tools can capture such requests, and web application scanners can be configured to test for SQL injection in the login form. Using curl, a command to test might be: curl -X POST -d "username=admin'%23&password=admin&Login=Log+in" http://target-site/travel/Admin/ -v [1]

Mitigation Strategies

Immediate mitigation steps include disabling or restricting access to the vulnerable login endpoint, applying input validation and parameterized queries to prevent SQL injection, and updating or patching the application if a fixed version is available. Additionally, monitoring and blocking suspicious login attempts with SQL injection patterns can help reduce risk until a permanent fix is applied. [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2021-47848. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart