Cyber Resilience

CVE-2021-47902

HighPublic PoC

Published: 27 January 2026

Published
27 January 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0024 14.9th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2021-47902 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2021-47902 is a SQL injection vulnerability (CWE-89) affecting Testa Online Test Management System version 3.4.7. The issue arises in the 'q' search parameter, where insufficient input validation allows attackers to inject malicious SQL code via the search field, enabling manipulation of database queries.

The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it exploitable by unauthenticated remote attackers with low complexity and no user interaction required. Successful exploitation allows extraction of database information, potentially exposing sensitive user or system data, with high confidentiality impact and low integrity impact.

Advisories and proof-of-concept exploits provide further details on the issue, including an Exploit-DB entry at https://www.exploit-db.com/exploits/49194 and a VulnCheck advisory at https://www.vulncheck.com/advisories/testa-online-test-management-system-q-sql-injection. An archived version of the vendor site is available at https://web.archive.org/web/20220406031253/https://testa.cc/. No specific patch details are outlined in the provided information.

A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched instances of the affected software.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive…

more

user or system data.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1213.006 Databases Collection
Adversaries may leverage databases to mine valuable information.
Why these techniques?

SQL injection in public web app directly enables remote exploitation (T1190) and database data access (T1213.006).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25199Shared CWE-89
CVE-2026-27179Shared CWE-89
CVE-2025-0308Shared CWE-89
CVE-2019-25581Shared CWE-89
CVE-2026-27885Shared CWE-89
CVE-2019-25479Shared CWE-89
CVE-2026-1476Shared CWE-89
CVE-2019-25526Shared CWE-89
CVE-2025-69365Shared CWE-89
CVE-2019-25573Shared CWE-89

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user inputs like the 'q' search parameter to prevent SQL injection manipulation of database queries.

prevent

Mandates timely patching and remediation of known flaws such as CVE-2021-47902 to eliminate the SQL injection vulnerability.

prevent

Requires vulnerability scanning that would identify and enable remediation of SQL injection issues like this CVE prior to exploitation.

References