CVE-2021-47980 Overview
CVE-2021-47980 is a blind SQL injection vulnerability in Fuel CMS 1.4.13. The flaw exists in the Activity Log interface, where the col parameter passed to the logs endpoint is not properly sanitized before inclusion in database queries. Authenticated attackers can inject SQL payloads through this parameter to manipulate backend queries. Because the application does not return query results directly, attackers extract data using time-based blind techniques that infer values from response delays. The vulnerability is classified under [CWE-89] (Improper Neutralization of Special Elements used in an SQL Command).
Critical Impact
Authenticated attackers can extract arbitrary database contents from Fuel CMS 1.4.13, including administrative credentials, session tokens, and stored content, by issuing time-based blind SQL injection payloads through the col parameter.
Affected Products
- Fuel CMS version 1.4.13
- Activity Log component (logs endpoint)
- Deployments using the vulnerable col query parameter handler
Discovery Timeline
- 2026-05-16 - CVE-2021-47980 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2021-47980
Vulnerability Analysis
Fuel CMS 1.4.13 is an open-source content management system built on the CodeIgniter framework. The Activity Log interface accepts a col parameter that specifies which database column should be referenced when ordering or filtering log entries. The application concatenates this user-supplied value into a SQL query without parameterization or allow-list validation. As a result, an authenticated attacker with access to the administrative interface can append arbitrary SQL syntax to the query.
Because the endpoint does not echo query output in HTTP responses, exploitation relies on blind techniques. Attackers use conditional time delays such as SLEEP() or BENCHMARK() to infer boolean conditions byte by byte. Over repeated requests, this allows full extraction of database tables, including the fuel_users table containing administrator credentials.
Root Cause
The root cause is missing input validation and the absence of prepared statements when constructing the SQL query that uses the col parameter. Column identifiers cannot be safely parameterized in most database drivers, so secure implementations require strict allow-listing against a known set of column names. Fuel CMS 1.4.13 omits this check, treating attacker-supplied strings as trusted SQL fragments.
Attack Vector
Exploitation requires an authenticated session with access to the Activity Log feature. The attacker sends an HTTP request to the logs endpoint, supplying a crafted col parameter containing SQL injection payloads. Time-based payloads conditionally trigger SLEEP calls, and the attacker measures response latency to deduce data values. Public proof-of-concept material is documented in Exploit-DB #50523 and the VulnCheck Advisory on FUEL-CMS.
Detection Methods for CVE-2021-47980
Indicators of Compromise
- HTTP requests to the Fuel CMS logs endpoint containing SQL keywords such as SLEEP, BENCHMARK, UNION, or SELECT in the col parameter.
- Unusually long response times from the Activity Log interface, particularly in repeated bursts that suggest character-by-character data extraction.
- Authenticated administrative sessions originating from atypical IP addresses or user agents immediately preceding suspicious log queries.
Detection Strategies
- Inspect web server and application logs for requests to the logs endpoint where the col parameter deviates from expected column names.
- Deploy web application firewall (WAF) rules that match SQL injection signatures in query string parameters targeting Fuel CMS routes.
- Correlate authentication events with subsequent administrative activity to identify compromised accounts being used for data extraction.
Monitoring Recommendations
- Monitor database query logs for unusual SLEEP or BENCHMARK invocations originating from the Fuel CMS application user.
- Alert on sustained sequences of similar requests to the same administrative endpoint with incrementing payload variations.
- Track outbound network traffic from web servers hosting Fuel CMS to detect data exfiltration following successful injection.
How to Mitigate CVE-2021-47980
Immediate Actions Required
- Restrict access to the Fuel CMS administrative interface using network controls, VPN, or IP allow-listing to reduce the authenticated attack surface.
- Rotate all administrative credentials and session secrets for Fuel CMS deployments that may have been exposed.
- Audit the fuel_users table and application logs for signs of unauthorized data access or account creation.
Patch Information
No official vendor patch is referenced in the published advisory data. Administrators should monitor the FUEL CMS Official Site and the GitHub FUEL-CMS repository for updated releases. Where no patch is available, organizations should consider migrating off Fuel CMS 1.4.13 or applying source-level fixes that validate the col parameter against an allow-list of known column names.
Workarounds
- Apply a WAF rule that blocks requests to the Fuel CMS logs endpoint containing SQL metacharacters or reserved keywords in the col parameter.
- Modify the application source to validate the col value against a hardcoded list of permitted column identifiers before query construction.
- Disable the Activity Log feature for non-essential administrative roles, limiting access to a minimal set of trusted accounts.
# Example WAF rule fragment (ModSecurity) to block SQLi in the col parameter
SecRule ARGS:col "@rx (?i)(select|union|sleep|benchmark|--|;|/\*)" \
"id:1004780,phase:2,deny,status:403,msg:'Fuel CMS col parameter SQLi attempt'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
