Login Sign Up

CVE-2021-36484

9.8 CRITICAL
SQL Injection

📋 TL;DR

This SQL injection vulnerability in JIZHICMS 1.9.5 allows attackers to execute arbitrary SQL commands through the add or edit article pages. Attackers can potentially read, modify, or delete database content, and in some cases gain full control of the affected system. All users running JIZHICMS 1.9.5 are affected.

💻 Affected Systems

Products:
  • JIZHICMS
Versions: 1.9.5
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in the article management functionality accessible through the CMS admin interface.

📦 What is this software?

Jizhicms by Jizhicms

View all CVEs affecting Jizhicms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of the database leading to data theft, data destruction, and potential remote code execution leading to full system takeover.

🟠

Likely Case

Database content exfiltration, privilege escalation, and unauthorized access to sensitive information stored in the CMS database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing successful exploitation.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the article management interface, typically requiring authentication, though authentication bypass may be possible in some configurations.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.9.6 or later

Vendor Advisory: https://github.com/Cherry-toto/jizhicms

Restart Required: No

Instructions:

1. Backup your current installation and database. 2. Download the latest version from the official repository. 3. Replace vulnerable files with patched versions. 4. Verify functionality after update.

🔧 Temporary Workarounds

Input Validation Filter

all

Implement server-side input validation to sanitize user inputs in article management forms

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

🧯 If You Can't Patch

  • Restrict access to the article management interface using IP whitelisting or network segmentation
  • Implement database user privilege reduction to limit potential damage from successful exploitation

🔍 How to Verify

Check if Vulnerable:

Check if running JIZHICMS version 1.9.5 by examining version files or admin panel

Check Version:

Check /application/config/version.php or admin panel system information

Verify Fix Applied:

Verify installation of version 1.9.6 or later and test article management functionality

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by article management access
  • Unexpected database schema changes

Network Indicators:

  • SQL injection patterns in HTTP POST requests to article endpoints
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (uri="/admin/article/*" OR uri="/article/*") AND (query="UNION" OR query="SELECT *" OR query="DROP" OR query="INSERT")

📊 Metadata

CVE ID: CVE-2021-36484
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: February 3, 2023
Last Updated: March 26, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-36484, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)