CVE-2021-47704

MEDIUM

OpenBMCS 2.4 - Authenticated SQL Injection via obix_test.php id Parameter

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2021-47704. PoCs published by LiquidWorm.

AI-analyzed exploit summary This exploit demonstrates an authenticated SQL injection vulnerability in OpenBMCS 2.4. The 'id' GET parameter in the debug/obix_test.php endpoint is not properly sanitized, allowing arbitrary SQL code injection.

Description

OpenBMCS 2.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting arbitrary SQL code. Attackers can send GET requests to /debug/obix_test.php with malicious 'id' values to extract database information.

Exploits (1)

exploitdb WORKING POC
by LiquidWorm · textwebappsphp
https://www.exploit-db.com/exploits/50668

This exploit demonstrates an authenticated SQL injection vulnerability in OpenBMCS 2.4. The 'id' GET parameter in the debug/obix_test.php endpoint is not properly sanitized, allowing arbitrary SQL code injection.

Classification
Working Poc 90%
Attack Type
Sqli
Complexity
Trivial
Reliability
Reliable
Target: OpenBMCS 2.4
Auth required
Prerequisites: Authenticated user session
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (4)

Core 4
Core References
Exploit, Third Party Advisory, VDB Entry exploit
https://www.exploit-db.com/exploits/50668
Product product
https://www.openbmcs.com
Exploit, Third Party Advisory third-party-advisory
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5692.php

Scores

CVSS v3 6.5
EPSS 0.0034
EPSS Percentile 26.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
OPEN BMCS/OpenBMCS 2.4
openbmcs/openbmcs 2.4
Published Dec 09, 2025
Tracked Since Feb 18, 2026