CVE-2022-29979

Vulnerability

Simple Client Management System 1.0 contains a SQL injection vulnerability in the id parameter of /cms/classes/Master.php?f=delete_designation. The application fails to sanitize user input before using it in a SQL query. An attacker can inject malicious SQL code through the id parameter to manipulate the database query. The vulnerability affects version 1.0 as distributed on SourceCodester [1].

Exploitation

An authenticated attacker with administrative privileges can exploit this vulnerability by sending a POST request to /cms/classes/Master.php?f=delete_designation with a crafted id parameter. The reference demonstrates a payload id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ that uses error-based SQL injection to extract data. The attacker must have a valid session cookie to access the endpoint [1].

Impact

Successful exploitation allows the attacker to extract sensitive information from the database, such as database names, usernames, and other data via error messages. This leads to information disclosure and could be escalated to further compromise the system.

Mitigation

As of the publication date (2022-05-12), no official patch or update has been released by the vendor. Mitigation involves implementing proper input validation and parameterized queries to prevent SQL injection. Until a fix is available, users should consider disabling the affected functionality or applying a web application firewall rule to block malicious requests [1].