CVE-2022-29660

Vulnerability

CSCMS Music Portal System v4.2 contains a SQL injection vulnerability in the pic_Pic.php_del file, reachable through the admin panel at /admin.php/pic/admin/pic/del. The id parameter is not sanitized before being used in a database query, allowing injection of arbitrary SQL. The vulnerability requires an authenticated admin session to access the endpoint [1].

Exploitation

An attacker with valid admin credentials can craft a POST request to /admin.php/pic/admin/pic/del with a malicious id parameter. The proof-of-concept in the reference shows a time-based blind SQL injection using id=1)and(sleep(5))--+, which causes a 5-second delay if the injection succeeds. The attacker can then systematically extract database content by observing response times [1].

Impact

Successful exploitation enables an attacker to exfiltrate sensitive data from the database, such as admin credentials or configuration secrets. The impact is limited to information disclosure via blind SQL injection; remote code execution is not demonstrated in the available reference [1].

Mitigation

No official patch has been released by the vendor as of the publication date. The only mitigation is to restrict admin panel access to trusted users and apply input validation on the id parameter through a web application firewall or custom code changes. The issue remains open in the vendor's repository [1].