CVE-2021-36438
SQL Injection in Sourcecodester Job Portal via category Parameter
Publication date: 2026-04-27
Last updated on: 2026-04-28
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sourcecodester | online_job_portal_phppdo | 1.0 |
| sourcecodester | online_job_portal | 1.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This SQL Injection vulnerability allows unauthorized access and extraction of data from the backend databases. Such unauthorized data access can lead to exposure of sensitive personal or protected information.
Consequently, this vulnerability can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the SQL Injection vulnerability in the Online Job Portal PHP/PDO version 1.0, you should immediately avoid using the vulnerable 'CATEGORY' parameter in the /jobportal/index.php endpoint.
Use input validation and sanitization techniques on the 'CATEGORY' parameter to prevent malicious SQL code execution.
Consider using prepared statements or parameterized queries to handle database interactions securely.
If possible, update or patch the software to a version where this vulnerability is fixed.
Monitor and restrict access to the vulnerable endpoint and review logs for suspicious activity related to the 'CATEGORY' parameter.
Can you explain this vulnerability to me?
This vulnerability is a SQL Injection issue found in the Online Job Portal in PHP/PDO version 1.0. It specifically affects the "CATEGORY" parameter in the URL path "/jobportal/index.php?q=result&searchfor=advancesearch". An attacker can manipulate this parameter in a POST request to execute arbitrary SQL queries on the backend database.
By exploiting this vulnerability, an attacker can retrieve sensitive data from the database without authorization. The attack involves injecting malicious SQL code into the "CATEGORY" field, which the application then executes, potentially exposing all stored data.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive data stored in the backend database. Attackers can extract confidential information, manipulate data, or disrupt the normal operation of the application.
Such unauthorized data access can lead to data breaches, loss of user trust, and potential financial and reputational damage to the organization using the vulnerable software.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This SQL Injection vulnerability can be detected by testing the "CATEGORY" parameter in POST requests to the endpoint "/jobportal/index.php?q=result&searchfor=advancesearch".
One effective method is to use sqlmap with a captured HTTP request file targeting the "CATEGORY" parameter to enumerate databases.
Alternatively, intercept the search request via a proxy and modify the "CATEGORY" parameter to an SQL injection payload such as: `Managerial' OR NOT 5832=5832#` while setting the "COMPANY" parameter to "Quest" to test for vulnerability.