Login Sign Up

CVE-2021-41754

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2021-41754 is a SQL injection vulnerability in dynamicMarkt software that allows attackers to execute arbitrary SQL commands through the parent parameter in index.php. This affects all users running dynamicMarkt version 3.10 or earlier. Successful exploitation could lead to data theft, modification, or complete system compromise.

💻 Affected Systems

Products:
  • dynamicMarkt
Versions: <= 3.10
Operating Systems: Any OS running dynamicMarkt
Default Config Vulnerable: ⚠️ Yes
Notes: All installations with default configuration are vulnerable. The vulnerability exists in the core index.php file.

📦 What is this software?

Dynamicmarkt by Dynamicvision

View all CVEs affecting Dynamicmarkt →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise allowing data exfiltration, modification, or deletion; potential remote code execution if database permissions allow; complete system takeover.

🟠

Likely Case

Unauthorized database access leading to sensitive data exposure (user credentials, personal information, financial data).

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database user privilege restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public PoC available on GitHub. Exploitation requires minimal technical skill due to simple SQL injection vector.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available, or implement workarounds.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize the parent parameter before processing

Modify index.php to add: $parent = filter_var($_GET['parent'], FILTER_SANITIZE_NUMBER_INT);

Web Application Firewall Rule

all

Block SQL injection patterns in the parent parameter

Add WAF rule: SecRule ARGS:parent "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Implement network segmentation to isolate dynamicMarkt from critical systems
  • Enable detailed logging and monitoring for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test by sending SQL injection payloads to the parent parameter: /index.php?parent=1' OR '1'='1

Check Version:

Check dynamicMarkt version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads after implementing fixes; should return error or sanitized response

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts following SQL injection patterns
  • Requests with SQL keywords in parent parameter

Network Indicators:

  • HTTP requests containing SQL injection patterns in URL parameters
  • Unusual database traffic from web server

SIEM Query:

source="web_logs" AND (url="*parent=*' OR*" OR url="*parent=*' UNION*" OR url="*parent=*' SELECT*")

📊 Metadata

CVE ID: CVE-2021-41754
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41754, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)