CVE-2022-29663

Vulnerability

CSCMS Music Portal System v4.2 contains a SQL injection vulnerability in the id parameter of the /admin.php/pic/admin/type/hy endpoint. The flaw resides in pic_Type.php_hy and is reachable when an authenticated administrator creates an album, deletes it, and then restores it from the recycle bin while injecting malicious SQL statements [1]. The affected version is v4.2.

Exploitation

An attacker must have administrative credentials to log in to the backend. The exploitation sequence involves: adding an album, deleting it, then sending a crafted POST request to /admin.php/pic/admin/type/hy with a payload in the id parameter, such as id=7)and(sleep(5))--+. The server responds with a 5-second delay, confirming blind SQL injection [1]. The attacker can then use time-based techniques to extract database contents.

Impact

Successful exploitation allows an authenticated attacker to perform time-based blind SQL injection, potentially leading to unauthorized disclosure of sensitive database information, including administrator credentials and other application data. This compromises the confidentiality of the system [1].

Mitigation

The vendor has not released a fixed version as of the publication date (2022-05-26) [1]. Administrators should restrict backend access to trusted users, apply input sanitization or use parameterized queries, and monitor for unusual request patterns. The CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.