CVE-2021-28999 – This SQL injection vulnerability in CMS Made Si... (How to Fix)

Q: What is the severity of CVE-2021-28999?

CVE-2021-28999 has a CVSS score of 8.8 (HIGH). This SQL injection vulnerability in CMS Made Simple allows remote attackers to execute arbitrary SQL commands via the m1_sortby parameter in the News module admin interface. Successful exploitation could lead to data theft, data manipulation, or complete system compromise. All CMS Made Simple installations up to version 2.2.15 are affected.

📋 TL;DR

This SQL injection vulnerability in CMS Made Simple allows remote attackers to execute arbitrary SQL commands via the m1_sortby parameter in the News module admin interface. Successful exploitation could lead to data theft, data manipulation, or complete system compromise. All CMS Made Simple installations up to version 2.2.15 are affected.

💻 Affected Systems

Products:

CMS Made Simple

Versions: All versions through 2.2.15

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires access to the News module admin interface, which typically requires authentication but could be exploited via stolen credentials or other vulnerabilities.

📦 What is this software?

Cms Made Simple by Cmsmadesimple

View all CVEs affecting Cms Made Simple →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data exfiltration, data destruction, privilege escalation to admin, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access and modification, potentially leading to website defacement, user data theft, or administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to the admin interface. Public proof-of-concept code is available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.16 and later

Vendor Advisory: https://forum.cmsmadesimple.org/viewtopic.php?f=1&t=84585

Restart Required: No

Instructions:

1. Backup your CMS Made Simple installation and database. 2. Download CMS Made Simple 2.2.16 or later from the official website. 3. Replace all files with the new version, preserving your configuration files. 4. Run the upgrade script if prompted. 5. Verify the installation works correctly.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to filter the m1_sortby parameter to only allow expected values

Modify modules/News/function.admin_articlestab.php to validate m1_sortby parameter against a whitelist of allowed values

WAF Rule

all

Implement web application firewall rules to block SQL injection attempts

Add WAF rule to detect and block SQL injection patterns in m1_sortby parameter

🧯 If You Can't Patch

Restrict access to the admin interface using IP whitelisting or VPN
Disable or remove the News module if not required

🔍 How to Verify

Check if Vulnerable:

Check if CMS Made Simple version is 2.2.15 or earlier by examining version.php or admin interface

Check Version:

grep '\$CMS_VERSION' version.php

Verify Fix Applied:

Verify installation is version 2.2.16 or later and test the m1_sortby parameter with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts to admin interface followed by successful login
Unexpected parameter values in m1_sortby field

Network Indicators:

SQL injection patterns in HTTP requests to modules/News/function.admin_articlestab.php
Unusual database connections from web server

SIEM Query:

source="web_logs" AND uri="*function.admin_articlestab.php*" AND (param="*m1_sortby*" AND value="*UNION*" OR value="*SELECT*" OR value="*INSERT*" OR value="*DELETE*")

📊 Metadata

CVE ID: CVE-2021-28999

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: May 8, 2023

Last Updated: January 29, 2025

🔗 References

https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md Exploit
https://seclists.org/fulldisclosure/2021/Mar/49 Mailing List,Third Party Advisory
https://github.com/beerpwn/CVE/blob/master/cms_made_simple_2021/sqli_order_by/CMS-MS-SQLi-report.md Exploit
https://seclists.org/fulldisclosure/2021/Mar/49 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-28999, you might also want to check these: