CVE-2021-46446 – CVE-2021-46446 is a SQL injection vulnerability... (How to Fix)

Q: What is the severity of CVE-2021-46446?

CVE-2021-46446 has a CVSS score of 9.8 (CRITICAL). CVE-2021-46446 is a SQL injection vulnerability in H.H.G Multistore's admin interface that allows attackers to execute arbitrary SQL commands. This affects all installations of H.H.G Multistore v5.1.0 and below with the admin panel accessible. Attackers can potentially access, modify, or delete database content through this vulnerability.

📋 TL;DR

CVE-2021-46446 is a SQL injection vulnerability in H.H.G Multistore's admin interface that allows attackers to execute arbitrary SQL commands. This affects all installations of H.H.G Multistore v5.1.0 and below with the admin panel accessible. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:

H.H.G Multistore

Versions: v5.1.0 and all earlier versions

Operating Systems: Any OS running PHP web server

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access, but default installations typically have admin interface enabled.

📦 What is this software?

Multistore by Hhg Multistore

View all CVEs affecting Multistore →

Multistore by Hhg Multistore

View all CVEs affecting Multistore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive data including user information, configuration data, and potentially administrative credentials.

🟢

If Mitigated

Limited impact if proper network segmentation and access controls prevent external access to admin interface.

🌐 Internet-Facing: HIGH - Admin interface accessible via web with SQL injection vulnerability.

🏢 Internal Only: HIGH - Even internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires admin access, but SQL injection is straightforward once authenticated. Public PoC demonstrates exploitation technique.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after v5.1.0

Vendor Advisory: https://www.hhg-multistore.com/

Restart Required: No

Instructions:

1. Upgrade to latest version of H.H.G Multistore. 2. Apply vendor-provided patches if available. 3. Verify the /admin/admin.php endpoint properly sanitizes SQL input.

🔧 Temporary Workarounds

Restrict Admin Access

all

Limit access to admin interface using firewall rules or web server configuration

# Example Apache .htaccess:
Order deny,allow
Deny from all
Allow from 192.168.1.0/24
# Example nginx:
location /admin/ {
    allow 192.168.1.0/24;
    deny all;
}

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

# ModSecurity rule example:
SecRule ARGS "@detectSQLi" "id:1000,phase:2,deny"

🧯 If You Can't Patch

Implement strict network segmentation to isolate admin interface from untrusted networks
Deploy database monitoring to detect unusual SQL queries and implement query whitelisting

🔍 How to Verify

Check if Vulnerable:

Check if running H.H.G Multistore v5.1.0 or earlier and test /admin/admin.php?module=admin_access_group_edit&aagID parameter for SQL injection

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test the vulnerable endpoint with SQL injection payloads after patching to confirm they are blocked

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by admin access
Requests to /admin/admin.php with SQL syntax in parameters

Network Indicators:

SQL error messages in HTTP responses
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/admin/admin.php" AND (query="UNION" OR query="SELECT" OR query="INSERT" OR query="DELETE")

📊 Metadata

CVE ID: CVE-2021-46446

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: January 28, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/blockomat2100/PoCs/blob/main/hhg_multistore/exploit_hhg_multistore.md Exploit,Third Party Advisory
https://www.hhg-multistore.com/ Mitigation,Product,Vendor Advisory
https://github.com/blockomat2100/PoCs/blob/main/hhg_multistore/exploit_hhg_multistore.md Exploit,Third Party Advisory
https://www.hhg-multistore.com/ Mitigation,Product,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46446, you might also want to check these: