Cloud Vulnerability DB
A community-led vulnerabilities database
Vulnerability DatabaseCVE-2021-43091
CVE-2021-43091:
PHP vulnerability analysis and mitigation
Overview
An SQL Injection vulnerability exists in YesWiki doryphore 20211012 via the email parameter in the registration form (NVD). The vulnerability was discovered in March 2022 and affects YesWiki version 4.1.0.
Technical details
The vulnerability is classified as a CWE-89 (SQL Injection) type weakness. It has a CVSS v3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and a CVSS v2.0 base score of 5.0 MEDIUM (Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N) (NVD).
Impact
The vulnerability allows remote attackers to access sensitive information through SQL injection attacks via the email parameter in the registration form. The impact primarily affects confidentiality, with the potential for unauthorized access to database contents (NVD).
Mitigation and workarounds
A patch has been released to fix the vulnerability by implementing proper SQL query escaping. The fix involves using the DbService::escape() method consistently throughout the codebase to properly sanitize user input (YesWiki Patch).
Additional resources
Source: This report was generated using AI
Related PHP vulnerabilities:
Free Vulnerability Assessment
Benchmark your Cloud Security Posture
Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.
Additional Wiz resources
Get a personalized demo
Ready to see Wiz in action?
"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management