Login Sign Up

CVE-2020-21012

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows unauthenticated attackers to execute arbitrary SQL commands via the email parameter in Hotel and Lodge Management System 2.0. Attackers can potentially access, modify, or delete database content, including sensitive customer and financial data. All systems running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Sourcecodester Hotel and Lodge Management System
Versions: Version 2.0
Operating Systems: Any OS running the web application
Default Config Vulnerable: ⚠️ Yes
Notes: Affects multiple modules: Customer, Room, Currency, Room Booking Details, and Tax Details edit pages.

📦 What is this software?

Hotel And Lodge Booking Management System by Hotel And Lodge Booking Management System Project

View all CVEs affecting Hotel And Lodge Booking Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, system takeover, and potential lateral movement to other systems.

🟠

Likely Case

Data exfiltration of customer information, financial records, and system credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH - The vulnerability is unauthenticated and exploitable remotely via web interface.
🏢 Internal Only: MEDIUM - Internal attackers could exploit but would need network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via email parameter requires minimal technical skill to exploit.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement server-side validation and parameterized queries for all email parameters

Implement prepared statements in PHP: $stmt = $pdo->prepare('SELECT * FROM users WHERE email = ?'); $stmt->execute([$email]);

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns in email parameters

ModSecurity rule: SecRule ARGS:email "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement network segmentation to limit database server exposure

🔍 How to Verify

Check if Vulnerable:

Test email parameter with SQL injection payloads: ' OR '1'='1 on edit pages

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in web logs
  • Multiple failed login attempts with SQL patterns

Network Indicators:

  • HTTP requests with SQL keywords in email parameter
  • Unusual database query patterns

SIEM Query:

source="web_logs" AND ("' OR" OR "UNION SELECT" OR "--" OR ";--") AND uri="*edit*"

📊 Metadata

CVE ID: CVE-2020-21012
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 1, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-21012, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)