CVE-2022-29669

Vulnerability

CSCMS Music Portal System v4.2 contains a SQL injection vulnerability in the news_Lists.php_zhuan file accessed via /admin.php/news/admin/lists/zhuan. The id parameter is passed without proper sanitization to a SQL query, enabling injection of arbitrary SQL commands. The issue is authenticated, as the endpoint requires a valid admin session cookie [1].

Exploitation

An attacker must have admin-level authentication (e.g., a valid cscms_admin_id and cscms_admin_login session). By sending a POST request with a crafted id[] parameter containing SQL payloads, the attacker can manipulate the query. For example, the payload id[]=(sleep(5)) causes a 5-second delay, confirming time-based blind injection [1]. More sophisticated payloads can extract data character by character using conditional delays, as demonstrated with (case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end) [1].

Impact

Successful exploitation allows an authenticated attacker to read, modify, or delete database contents, including potentially sensitive information such as credentials and personal data. The stored procedure nature of the injection enables time-based blind data extraction and could eventually lead to full administrative control over the application and its data [1].

Mitigation

No official fix has been released as of the publication date. The vendor (chshcms) has not responded to the issue [1]. Users should restrict admin panel access to trusted networks, apply strict input validation on the id parameter, and consider disabling the vulnerable endpoint until a patch is available. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.