CVE-2021-47766

Vulnerability

Description Kmaleon 1.1.0.205, a law firm management application, contains an authenticated SQL injection vulnerability in the tipocomb parameter of kmaleonW.php. The parameter is not sanitized before being used in database queries, allowing attackers to inject arbitrary SQL commands. This vulnerability can be exploited using boolean-based, error-based, and time-based blind SQL injection techniques [2].

Exploitation

An attacker must be authenticated to the application to reach the vulnerable endpoint. The attack is performed via a GET request to /kmaleonW.php with parameters including tipocomb. The exploit does not require high privileges within the application; any authenticated user can trigger the injection. The backend database is MySQL, and the injection point is in a WHERE or HAVING clause, enabling various blind injection methods [2].

Impact

Successful exploitation allows an attacker to manipulate and extract database information. This could lead to unauthorized access to sensitive data such as client records, case details, and financial information stored in the database. In the worst case, the attacker might escalate privileges or gain full control of the application's data [2].

Mitigation

As of the provided references, no official patch or workaround has been released by the vendor. The exploit has been publicly disclosed, increasing the risk for unpatched installations. Organizations using Kmaleon 1.1.0.205 should consider upgrading to a newer version if available or implementing web application firewall rules to block suspicious SQL patterns [2].