Vulnerability-Lookup

CNVD-2022-91164

Vulnerability from cnvd - Published: 2022-12-28

Title

MartDevelopers iResturant SQL注入漏洞（CNVD-2022-91164）

Description

MartDevelopers Iresturant是肯尼亚MartDevelopers公司的一个开源轻量级餐厅Erp。用于将社交餐厅运营集成到一个系统中。 MartDevelopers iResturant 1.0存在SQL注入漏洞，该漏洞源于在会员注册时将电子邮件和电话参数值添加到SQL查询中而没有任何验证。攻击者可利用该漏洞执行非法SQL命令窃取数据库敏感数据。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa

Reference

https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#file-cve-2021-45802-md

Impacted products

Name
iresturant_project iresturant v1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-45802",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2021-45802"
    }
  },
  "description": "MartDevelopers Iresturant\u662f\u80af\u5c3c\u4e9aMartDevelopers\u516c\u53f8\u7684\u4e00\u4e2a\u5f00\u6e90\u8f7b\u91cf\u7ea7\u9910\u5385Erp\u3002\u7528\u4e8e\u5c06\u793e\u4ea4\u9910\u5385\u8fd0\u8425\u96c6\u6210\u5230\u4e00\u4e2a\u7cfb\u7edf\u4e2d\u3002\n\nMartDevelopers iResturant 1.0\u5b58\u5728SQL\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5728\u4f1a\u5458\u6ce8\u518c\u65f6\u5c06\u7535\u5b50\u90ae\u4ef6\u548c\u7535\u8bdd\u53c2\u6570\u503c\u6dfb\u52a0\u5230SQL\u67e5\u8be2\u4e2d\u800c\u6ca1\u6709\u4efb\u4f55\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u6267\u884c\u975e\u6cd5SQL\u547d\u4ee4\u7a83\u53d6\u6570\u636e\u5e93\u654f\u611f\u6570\u636e\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2022-91164",
  "openTime": "2022-12-28",
  "products": {
    "product": "iresturant_project iresturant v1.0"
  },
  "referenceLink": "https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#file-cve-2021-45802-md",
  "serverity": "\u9ad8",
  "submitTime": "2022-01-27",
  "title": "MartDevelopers iResturant SQL\u6ce8\u5165\u6f0f\u6d1e\uff08CNVD-2022-91164\uff09"
}

CVE-2021-45802 (GCVE-0-2021-45802)

Vulnerability from cvelistv5 – Published: 2022-01-25 12:56 – Updated: 2024-08-04 04:54

Summary

MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because the email and phone parameter values are added to the SQL query without any verification at the time of membership registration.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

2 references

URL	Tags
https://blog.pocas.kr/posts/sqli-iResturant/	x_refsource_MISC
https://gist.github.com/P0cas/5aa55f62781364a750a…	x_refsource_MISC

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T04:54:29.486Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://blog.pocas.kr/posts/sqli-iResturant/"
          },
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#file-cve-2021-45802-md"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because the email and phone parameter values are added to the SQL query without any verification at the time of membership registration."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2022-01-25T12:56:31.000Z",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://blog.pocas.kr/posts/sqli-iResturant/"
        },
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#file-cve-2021-45802-md"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2021-45802",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "MartDevelopers iResturant 1.0 is vulnerable to SQL Injection. SQL Injection occurs because the email and phone parameter values are added to the SQL query without any verification at the time of membership registration."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://blog.pocas.kr/posts/sqli-iResturant/",
              "refsource": "MISC",
              "url": "https://blog.pocas.kr/posts/sqli-iResturant/"
            },
            {
              "name": "https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#file-cve-2021-45802-md",
              "refsource": "MISC",
              "url": "https://gist.github.com/P0cas/5aa55f62781364a750ac4a4d47f319fa#file-cve-2021-45802-md"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2021-45802",
    "datePublished": "2022-01-25T12:56:31.000Z",
    "dateReserved": "2021-12-27T00:00:00.000Z",
    "dateUpdated": "2024-08-04T04:54:29.486Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2022-91164

CVE-2021-45802 (GCVE-0-2021-45802)

Tags

Sightings

Nomenclature