CVE-2021-47966
Timeclock · PHP Timeclock
PHP Timeclock 1.04 is vulnerable to SQL Injection, allowing an unauthenticated attacker to execute arbitrary SQL commands via the login interface.
Executive summary
An unauthenticated SQL injection vulnerability in PHP Timeclock 1.04 allows attackers to potentially compromise database confidentiality and integrity.
Vulnerability
This is an SQL Injection (CWE-89) vulnerability. The application fails to properly sanitize user input in the login module, allowing an unauthenticated attacker to inject malicious SQL commands.
Business impact
With a CVSS score of 8.2, this vulnerability is severe. Successful exploitation could allow an attacker to bypass authentication, extract sensitive user information, or modify database contents, leading to a total loss of confidentiality for the application's user base.
Remediation
Immediate Action: Upgrade to the latest secure version if available; otherwise, restrict access to the login interface via network-level controls.
Proactive Monitoring: Monitor database query logs for syntax errors, unexpected commands, or large data exports, which are characteristic of SQL injection attempts.
Compensating Controls: Implement a WAF with SQL injection detection rules to filter malicious payloads from incoming HTTP requests.
Exploitation status
Public Exploit Available: Yes — a public exploit is available via ExploitDB (ID 49849).
Analyst recommendation
The presence of a public exploit significantly increases the risk of this vulnerability. Administrators must treat this as a high-priority item and ensure that the application is either patched or isolated from public-facing networks until a fix is confirmed.