CVE-2021-42667 – CVE-2021-42667 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2021-42667?

CVE-2021-42667 has a CVSS score of 9.8 (CRITICAL). CVE-2021-42667 is a critical SQL injection vulnerability in Sourcecodester's Online Event Booking and Reservation System in PHP. It allows attackers to manipulate SQL queries to extract sensitive data or potentially achieve remote code execution. Organizations using this specific PHP/MySQL event management system are affected.

📋 TL;DR

CVE-2021-42667 is a critical SQL injection vulnerability in Sourcecodester's Online Event Booking and Reservation System in PHP. It allows attackers to manipulate SQL queries to extract sensitive data or potentially achieve remote code execution. Organizations using this specific PHP/MySQL event management system are affected.

💻 Affected Systems

Products:

Sourcecodester Online Event Booking and Reservation System in PHP

Versions: All versions prior to patching (specific version range not specified in CVE)

Operating Systems: Any OS running PHP/MySQL

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in event-management/views component. Requires PHP/MySQL environment.

📦 What is this software?

Online Event Booking And Reservation System by Online Event Booking And Reservation System Project

View all CVEs affecting Online Event Booking And Reservation System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data exfiltration, and lateral movement within the network.

🟠

Likely Case

Database compromise with extraction of sensitive information including user credentials, personal data, and booking records.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH - Web applications exposed to the internet are directly accessible to attackers.

🏢 Internal Only: MEDIUM - Internal systems could still be exploited by malicious insiders or compromised internal accounts.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Multiple public proof-of-concept exploits available on GitHub. SQL injection can be leveraged for potential RCE through database functions.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check Sourcecodester website for updates 2. Apply parameterized queries to event-management/views 3. Implement input validation 4. Sanitize user inputs

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block malicious payloads

Input Validation

all

Implement strict input validation and sanitization for all user inputs

🧯 If You Can't Patch

Isolate the system from internet access and restrict to internal network only
Implement network segmentation and monitor for suspicious database queries

🔍 How to Verify

Check if Vulnerable:

Test SQL injection payloads in event-management/views endpoints or check for unpatched code in vulnerable files

Check Version:

Check PHP files for vulnerable code patterns in event-management/views directory

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads that should be rejected

📡 Detection & Monitoring

Log Indicators:

Unusual SQL query patterns
Multiple failed login attempts
Suspicious database queries from web application

Network Indicators:

SQL injection payloads in HTTP requests
Unusual database connection patterns

SIEM Query:

source=web_logs AND (sql OR union OR select OR 1=1) AND status=200

📊 Metadata

CVE ID: CVE-2021-42667

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: November 5, 2021

Last Updated: November 21, 2024

🔗 References

https://github.com/TheHackingRabbi/CVE-2021-42667 Exploit,Third Party Advisory
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-42667 Exploit,Third Party Advisory
https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html Product,Third Party Advisory
https://github.com/TheHackingRabbi/CVE-2021-42667 Exploit,Third Party Advisory
https://github.com/nu11secur1ty/CVE-mitre/tree/main/CVE-2021-42667 Exploit,Third Party Advisory
https://www.sourcecodester.com/php/14241/online-event-booking-and-reservation-system-phpmysql.html Product,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-42667, you might also want to check these: