CVE-2021-47846

CVE-2021-47846 is a critical SQL injection vulnerability in the Digital Crime Report Management System 1.0, a PHP-based web application. The flaw affects multiple login endpoints, including those for police, incharge, user, and HQ roles, where attackers can inject crafted SQL payloads into the email and password parameters. This CWE-89 issue has a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), indicating high confidentiality impact with low integrity impact and no availability disruption.

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no privileges required. By submitting malicious SQL payloads during login attempts, attackers bypass authentication entirely, gaining unauthorized access to the application's backend. This could enable data extraction from the database, given the high confidentiality score, potentially exposing sensitive crime reports or user credentials stored within the system.

Advisories and references, including those from Vulncheck and Exploit-DB (exploit #49761), detail the vulnerability and provide proof-of-concept exploits but do not specify official patches or vendor mitigations. Security practitioners should review these sources for reproduction steps and consider input sanitization, prepared statements, or upgrading to a patched version if available from the source code providers.

A public exploit is available on Exploit-DB, increasing the risk of widespread abuse, though no evidence of real-world exploitation in the wild is noted in the provided details.