CVE-2021-44161

HIGH

Changing MOTP >=3.5 - Unauthenticated SQL Injection via Specific Function Parameter

Title source: llm
STIX 2.1

Description

Changing MOTP (Mobile One Time Password) system’s specific function parameter has insufficient validation for user input. A attacker in local area network can perform SQL injection attack to read, modify or delete backend database without authentication.

References (1)

Core 1
Core References
Third Party Advisory x_refsource_misc
https://www.twcert.org.tw/tw/cp-132-5423-84a13-1.html

Scores

CVSS v3 8.8
EPSS 0.0050
EPSS Percentile 39.1%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-89
Status published
Products (1)
changingtec/motp 3.5
Published Dec 29, 2021
Tracked Since Feb 18, 2026