CVE-2021-47980

Vulnerability

Fuel CMS version 1.4.13 contains a blind SQL injection vulnerability in the Activity Log interface. The col parameter in requests to the /fuel/logs/items endpoint is not properly sanitized, allowing an authenticated attacker to inject arbitrary SQL code. The vulnerability is classified as CWE-89 (SQL Injection) [2]. Affected versions: Fuel CMS <= 1.4.13 [2].

Exploitation

An attacker must first authenticate to the Fuel CMS panel. Then, navigating to the Activity Log menu, the attacker can craft a request to the logs endpoint with a malicious payload in the col parameter. For example, appending and (select * from(select(sleep(1)))a) causes a time delay proportional to the sleep value, confirming the blind injection [3]. The attacker can then use time-based techniques to extract database contents character by character.

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the database, such as user credentials or other data, by observing response time delays. The CVSS v3 score is 7.1 (High) [2], indicating significant confidentiality impact with low attack complexity.

Mitigation

As of the available references, no official patch has been released for Fuel CMS 1.4.13. The vendor homepage [1] does not mention a fix. Users should consider upgrading to a newer version if available, or restrict access to the Activity Log interface to trusted users only. The vulnerability is listed in the Exploit Database [3] but not in the CISA KEV as of the publication date.