CVE-2021-47902
Published: 27 January 2026
Summary
CVE-2021-47902 is a high-severity SQL Injection (CWE-89) vulnerability. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 14.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2021-47902 is a SQL injection vulnerability (CWE-89) affecting Testa Online Test Management System version 3.4.7. The issue arises in the 'q' search parameter, where insufficient input validation allows attackers to inject malicious SQL code via the search field, enabling manipulation of database queries.
The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N), making it exploitable by unauthenticated remote attackers with low complexity and no user interaction required. Successful exploitation allows extraction of database information, potentially exposing sensitive user or system data, with high confidentiality impact and low integrity impact.
Advisories and proof-of-concept exploits provide further details on the issue, including an Exploit-DB entry at https://www.exploit-db.com/exploits/49194 and a VulnCheck advisory at https://www.vulncheck.com/advisories/testa-online-test-management-system-q-sql-injection. An archived version of the vendor site is available at https://web.archive.org/web/20220406031253/https://testa.cc/. No specific patch details are outlined in the provided information.
A public exploit is available on Exploit-DB, indicating potential for real-world abuse against unpatched instances of the affected software.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2021-34748
Vulnerability details
Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the 'q' search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive…
more
user or system data.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in public web app directly enables remote exploitation (T1190) and database data access (T1213.006).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of user inputs like the 'q' search parameter to prevent SQL injection manipulation of database queries.
Mandates timely patching and remediation of known flaws such as CVE-2021-47902 to eliminate the SQL injection vulnerability.
Requires vulnerability scanning that would identify and enable remediation of SQL injection issues like this CVE prior to exploitation.