SQL Injection Vulnerability in Email Parameter of Video Sharing Website 1.0 Allows Remote Code Execution

SQL Injection Vulnerability in Email Parameter of Video Sharing Website 1.0 Allows Remote Code Execution

CVE-2021-45255 · CRITICAL Severity

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

The email parameter from ajax.php of Video Sharing Website 1.0 appears to be vulnerable to SQL injection attacks. A payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The application interacted with that domain, indicating that the injected SQL query was executed.

Learn more about our Cis Benchmark Audit For Microsoft Sql Server.