Search criteria
2 vulnerabilities found for Fuel CMS by Getfuelcms
CVE-2021-47980 (GCVE-0-2021-47980)
Vulnerability from nvd – Published: 2026-05-16 15:26 – Updated: 2026-05-18 13:50
VLAI
Title
Fuel CMS 1.4.13 Blind SQL Injection via col Parameter
Summary
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/50523 | exploit |
| https://www.getfuelcms.com/ | product |
| https://github.com/daylightstudio/FUEL-CMS/archiv… | product |
| https://www.vulncheck.com/advisories/fuel-cms-bli… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Getfuelcms | Fuel CMS |
Affected:
1.4.13
|
Date Public
2021-04-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47980",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T13:50:09.053019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T13:50:17.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fuel CMS",
"vendor": "Getfuelcms",
"versions": [
{
"status": "affected",
"version": "1.4.13"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:1.4.13:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rahad Chowdhury"
}
],
"datePublic": "2021-04-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the \u0027col\u0027 parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the \u0027col\u0027 parameter to extract database information based on response time delays."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:26:19.913Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50523",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50523"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://www.getfuelcms.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip"
},
{
"name": "VulnCheck Advisory: Fuel CMS 1.4.13 Blind SQL Injection via col Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/fuel-cms-blind-sql-injection-via-col-parameter"
}
],
"title": "Fuel CMS 1.4.13 Blind SQL Injection via col Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47980",
"datePublished": "2026-05-16T15:26:19.913Z",
"dateReserved": "2026-05-16T14:51:58.601Z",
"dateUpdated": "2026-05-18T13:50:17.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2021-47980 (GCVE-0-2021-47980)
Vulnerability from cvelistv5 – Published: 2026-05-16 15:26 – Updated: 2026-05-18 13:50
VLAI
Title
Fuel CMS 1.4.13 Blind SQL Injection via col Parameter
Summary
Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'col' parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the 'col' parameter to extract database information based on response time delays.
Severity
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://www.exploit-db.com/exploits/50523 | exploit |
| https://www.getfuelcms.com/ | product |
| https://github.com/daylightstudio/FUEL-CMS/archiv… | product |
| https://www.vulncheck.com/advisories/fuel-cms-bli… | third-party-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Getfuelcms | Fuel CMS |
Affected:
1.4.13
|
Date Public
2021-04-11 00:00
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2021-47980",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-18T13:50:09.053019Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-18T13:50:17.798Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Fuel CMS",
"vendor": "Getfuelcms",
"versions": [
{
"status": "affected",
"version": "1.4.13"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:thedaylightstudio:fuel_cms:1.4.13:*:*:*:*:*:*:*",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Rahad Chowdhury"
}
],
"datePublic": "2021-04-11T00:00:00.000Z",
"descriptions": [
{
"lang": "en",
"value": "Fuel CMS 1.4.13 contains a blind SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the \u0027col\u0027 parameter in the Activity Log interface. Attackers can send requests to the logs endpoint with malicious SQL payloads in the \u0027col\u0027 parameter to extract database information based on response time delays."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS"
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-16T15:26:19.913Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"name": "ExploitDB-50523",
"tags": [
"exploit"
],
"url": "https://www.exploit-db.com/exploits/50523"
},
{
"name": "Official Product Homepage",
"tags": [
"product"
],
"url": "https://www.getfuelcms.com/"
},
{
"name": "Product Reference",
"tags": [
"product"
],
"url": "https://github.com/daylightstudio/FUEL-CMS/archive/1.4.13.zip"
},
{
"name": "VulnCheck Advisory: Fuel CMS 1.4.13 Blind SQL Injection via col Parameter",
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/fuel-cms-blind-sql-injection-via-col-parameter"
}
],
"title": "Fuel CMS 1.4.13 Blind SQL Injection via col Parameter",
"x_generator": {
"engine": "vulncheck"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2021-47980",
"datePublished": "2026-05-16T15:26:19.913Z",
"dateReserved": "2026-05-16T14:51:58.601Z",
"dateUpdated": "2026-05-18T13:50:17.798Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}