CVE-2022-29689

Vulnerability

CSCMS Music Portal System v4.2 contains a blind SQL injection vulnerability in the singer_Singer.php_del file. The flaw is triggered when an administrator deletes a singer via the /admin.php/singer/admin/singer/del endpoint. The id parameter in the POST request is not properly sanitized and is concatenated directly into an SQL query, allowing an attacker to inject malicious SQL code [1].

Exploitation

An attacker must first obtain a valid administrator session by logging into the admin panel. After adding a singer, the attacker sends a POST request to /admin.php/singer/admin/singer/del with a crafted id parameter. The reference demonstrates a payload id=1)and(sleep(5))--+ that causes a 5-second delay, confirming blind injection. More advanced payloads can extract database contents by evaluating boolean conditions [1].

Impact

Successful exploitation allows an authenticated administrator to perform blind SQL injection attacks, enabling the attacker to extract sensitive information from the database, such as credentials, user data, or configuration details. The attack does not directly grant remote code execution but can compromise data confidentiality [1].

Mitigation

As of the publication date, no official patched version has been released by the vendor. The issue is tracked in the project's issue tracker. Administrators should restrict access to the admin panel and monitor database queries for anomalies. Until a fix is available, consider input validation on the id parameter or applying a web application firewall rule [1].