Login Sign Up

CVE-2021-46448

9.8 CRITICAL
SQL Injection

📋 TL;DR

This vulnerability allows attackers to execute arbitrary SQL commands via the customers.php admin endpoint in H.H.G Multistore. Attackers can potentially access, modify, or delete database content. All users running H.H.G Multistore v5.1.0 or earlier are affected.

💻 Affected Systems

Products:
  • H.H.G Multistore
Versions: v5.1.0 and below
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to the /admin/customers.php endpoint, which may be protected by authentication.

📦 What is this software?

Multistore by Hhg Multistore

View all CVEs affecting Multistore →

Multistore by Hhg Multistore

View all CVEs affecting Multistore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to customer data, administrative credentials, or sensitive business information stored in the database.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permission restrictions in place.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin access or authentication bypass. SQL injection is straightforward once endpoint access is obtained.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: https://www.hhg-multistore.com/

Restart Required: No

Instructions:

1. Check vendor website for security updates. 2. If no patch available, implement workarounds immediately. 3. Consider migrating to supported software if vendor is unresponsive.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize cID parameter in customers.php

Modify /admin/customers.php to validate cID as integer: if(!is_numeric($_GET['cID'])) { die('Invalid input'); }

Web Application Firewall Rule

all

Block SQL injection patterns targeting the vulnerable endpoint

WAF rule to block requests containing SQL keywords in cID parameter to /admin/customers.php

🧯 If You Can't Patch

  • Restrict network access to admin interface using IP whitelisting
  • Implement database user with minimal permissions (read-only if possible)

🔍 How to Verify

Check if Vulnerable:

Test /admin/customers.php?page=1&cID=1' with SQL injection payloads and observe database errors or unexpected behavior.

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads after fixes - should receive proper error messages or no database errors.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts followed by SQL injection patterns
  • Unexpected database queries from admin interface

Network Indicators:

  • HTTP requests to /admin/customers.php containing SQL keywords in parameters
  • Unusual database traffic from web server

SIEM Query:

source="web_logs" AND uri="/admin/customers.php" AND (param="cID" AND value MATCHES "'.*?(SELECT|UNION|INSERT|UPDATE|DELETE|DROP).*?'")

📊 Metadata

CVE ID: CVE-2021-46448
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: January 28, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-46448, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)