CVE-2021-28295

HIGH

Online Ordering System 1.0 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-28295. PoCs published by Suraj Bhosale.

AI-analyzed exploit summary This exploit demonstrates a blind SQL injection vulnerability in Online Ordering System 1.0 via the 'id' parameter in the admin/design.php endpoint. It includes a proof-of-concept payload and SQLMap usage instructions to extract database information.

Description

Online Ordering System 1.0 is vulnerable to unauthenticated SQL injection through /onlineordering/GPST/admin/design.php, which may lead to database information disclosure.

Exploits (1)

exploitdb WORKING POC
by Suraj Bhosale · textwebappsphp
https://www.exploit-db.com/exploits/49618

This exploit demonstrates a blind SQL injection vulnerability in Online Ordering System 1.0 via the 'id' parameter in the admin/design.php endpoint. It includes a proof-of-concept payload and SQLMap usage instructions to extract database information.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: Online Ordering System 1.0
No auth needed
Prerequisites: Access to the vulnerable endpoint · SQLMap or similar tool for exploitation
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (1)

Core 1
Core References
Exploit, Third Party Advisory, VDB Entry x_refsource_misc
https://www.exploit-db.com/exploits/49618

Scores

CVSS v3 7.5
EPSS 0.1590
EPSS Percentile 96.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-89
Status published
Products (1)
online_ordering_system_project/online_ordering_system 1.0
Published Mar 16, 2021
Tracked Since Feb 18, 2026