CVE-2021-47848
Unknown Unknown - Not Provided
SQL Injection in Blitar Tourism 1.0 Enables Admin Bypass

Publication date: 2026-01-21

Last updated on: 2026-01-21

Assigner: VulnCheck

Description
Blitar Tourism 1.0 contains an authentication bypass vulnerability that allows attackers to bypass login by injecting SQL code through the username parameter. Attackers can manipulate the login request by sending a crafted username with SQL injection techniques to gain unauthorized administrative access.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-21
Last Modified
2026-01-21
Generated
2026-05-07
AI Q&A
2026-01-21
EPSS Evaluated
2026-05-05
NVD
CVE-2021-47848
EUVD
EUVD-2026-3648
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
satndy aplikasi-biro-travel 1.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability in Blitar Tourism 1.0 is an authentication bypass caused by SQL injection. Attackers can inject malicious SQL code into the username parameter during login, manipulating the SQL query to bypass password verification and gain unauthorized administrative access without valid credentials. [1, 2]


How can this vulnerability impact me? :

The vulnerability allows attackers to bypass authentication and gain unauthorized administrative access to the Blitar Tourism application. This can lead to unauthorized control over administrative functions, potentially compromising sensitive data and the integrity of the system. [1, 2]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by attempting to exploit the SQL injection in the username parameter of the login POST request to the /travel/Admin/ endpoint. For example, sending a crafted POST request with the payload username=admin'%23&password=admin&Login=Log+in can test if authentication bypass is possible. Network monitoring tools can capture such requests, and web application scanners can be configured to test for SQL injection in the login form. Using curl, a command to test might be: curl -X POST -d "username=admin'%23&password=admin&Login=Log+in" http://target-site/travel/Admin/ -v [1]


What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include disabling or restricting access to the vulnerable login endpoint, applying input validation and parameterized queries to prevent SQL injection, and updating or patching the application if a fixed version is available. Additionally, monitoring and blocking suspicious login attempts with SQL injection patterns can help reduce risk until a permanent fix is applied. [2]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart