CVE-2021-38145 – This SQL injection vulnerability in Form Tools ... (How to Fix)

Q: What is the severity of CVE-2021-38145?

CVE-2021-38145 has a CVSS score of 9.8 (CRITICAL). This SQL injection vulnerability in Form Tools allows low-privileged client users to execute arbitrary SQL commands via the export_group_id parameter. Attackers can potentially access, modify, or delete database content, including sensitive form data and user credentials. All Form Tools installations up to version 3.0.20 with client accounts are affected.

📋 TL;DR

This SQL injection vulnerability in Form Tools allows low-privileged client users to execute arbitrary SQL commands via the export_group_id parameter. Attackers can potentially access, modify, or delete database content, including sensitive form data and user credentials. All Form Tools installations up to version 3.0.20 with client accounts are affected.

💻 Affected Systems

Products:

Form Tools

Versions: through 3.0.20

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Requires client user accounts with export permissions. Admin accounts are not required for exploitation.

📦 What is this software?

Core by Formtools

View all CVEs affecting Core →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data exfiltration, privilege escalation to admin, and potential server takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive form submission data, exposure of user information, and potential modification of form data.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting SQL execution to read-only operations.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface and requires only low-privileged credentials.

🏢 Internal Only: MEDIUM - Still significant risk from insider threats or compromised accounts, but attack surface is reduced.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires client-level credentials. Public proof-of-concept demonstrates SQL injection via export_group_id parameter manipulation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 3.0.21 or later

Vendor Advisory: https://github.com/formtools/core/

Restart Required: No

Instructions:

1. Backup your Form Tools installation and database. 2. Download latest version from formtools.org. 3. Replace core files with patched version. 4. Verify export functionality works correctly.

🔧 Temporary Workarounds

Disable Export Manager Module

linux

Temporarily disable the vulnerable export_manager module to prevent exploitation

mv modules/export_manager modules/export_manager.disabled

Restrict Client Export Permissions

all

Remove export permissions from all client accounts in Form Tools admin panel

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns in export_group_id parameter
Restrict network access to Form Tools installation to trusted IP addresses only

🔍 How to Verify

Check if Vulnerable:

Check if version is 3.0.20 or earlier and export_manager module exists at modules/export_manager/export.php

Check Version:

grep "define('CORE_VERSION'" core/global/code/Config.class.php

Verify Fix Applied:

Verify version is 3.0.21+ and test export functionality with SQL injection payloads in export_group_id parameter

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in web server logs
Multiple export requests with numeric parameters from single client
Export requests with suspicious parameter values

Network Indicators:

HTTP requests to export.php with SQL keywords in parameters
Unusual database query patterns from web application

SIEM Query:

source="web_logs" AND uri="*export.php*" AND (param="*export_group_id=*UNION*" OR param="*export_group_id=*SELECT*" OR param="*export_group_id=*INSERT*")

📊 Metadata

CVE ID: CVE-2021-38145

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: August 31, 2021

Last Updated: November 21, 2024

🔗 References

https://bernardofsr.github.io/blog/2021/form-tools/ Exploit,Third Party Advisory
https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.md Exploit,Third Party Advisory
https://github.com/formtools/core/ Product,Third Party Advisory
https://www.formtools.org/ Product,Vendor Advisory
https://bernardofsr.github.io/blog/2021/form-tools/ Exploit,Third Party Advisory
https://github.com/bernardofsr/CVEs-With-PoC/blob/main/PoCs/Form%20Tools/README.md Exploit,Third Party Advisory
https://github.com/formtools/core/ Product,Third Party Advisory
https://www.formtools.org/ Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-38145, you might also want to check these: