CVE-2022-29683

Vulnerability

CSCMS Music Portal System v4.2 contains a blind SQL injection vulnerability in the sys_Label.php file, specifically in the page_del function. The vulnerability exists in the id parameter when processing a POST request to /admin.php/Label/page_del. The input from the id array parameter is not properly sanitized before being used in a SQL query, allowing an attacker to inject malicious SQL code. The official description and reference [1] confirm this issue in version v4.2.

Exploitation

An attacker can exploit this vulnerability by sending a POST request to /admin.php/Label/page_del with a specially crafted id[] parameter. The payload id[]='or+(sleep(5))# causes a server-side delay of 5 seconds, confirming a blind SQL injection. An authenticated session is required, as evidenced by the cscms_admin_id and cscms_admin_login cookies in the reference proof-of-concept [1]. The attacker can then use conditional sleep() payloads, such as (case(1)when(ascii(substr((select(database()))from(1)for(1)))=99)then(sleep(5))else(1)end), to extract data character by character.

Impact

Upon successful exploitation, an attacker can extract sensitive information from the database, such as the database name (e.g., cscms), user credentials, and other private data. This information disclosure could lead to further compromise of the application and its data.

Mitigation

As of the publication date and the available reference [1], no official fix or patched version has been released for CVE-2022-29683. The vulnerability affects CSCMS Music Portal System v4.2. Until a patch is available, administrators should restrict admin panel access using network controls and consider input validation or parameterized queries as a workaround. This CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog as of this writing.