CVE-2021-47902

Vulnerability

Overview

CVE-2021-47902 is a SQL injection vulnerability in Testa Online Test Management System version 3.4.7. The vulnerability exists in the search functionality, where the 'q' parameter is not properly sanitized, allowing an attacker to inject arbitrary SQL commands. This flaw is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) [3].

Exploitation

Details

An attacker can exploit this vulnerability by sending a crafted HTTP POST request to the application's search endpoint. The exploit requires no authentication, as the search functionality is accessible to unauthenticated users [2]. The attacker injects a UNION-based SQL payload in the 'q' parameter, as demonstrated in the Proof of Concept (PoC) provided by the Ultra Security Team [2]. The attack vector is network-based (AV:N) with low complexity (AC:L) and no privileges required (PR:N) [3].

Impact

Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials, personal data, and other system details. The vulnerability has a high impact on confidentiality (VC:H) according to the CVSS v4 vector [3]. Integrity and availability impacts are limited [3].

Mitigation

Status

As of the publication date (2026-01-27), no official patch or workaround has been released by the vendor. Users of Testa Online Test Management System 3.4.7 are advised to restrict access to the search functionality or upgrade to a patched version if available [1].