CVE-2022-29980

Vulnerability

Simple Client Management System 1.0, developed by oretnom23 and available from SourceCodester, contains a SQL injection vulnerability in the /cms/admin/?page=user/manage_user&id= endpoint. The id parameter is not sanitized before being used in a SQL query, allowing an attacker to inject arbitrary SQL statements. The vulnerability is present in version 1.0 [1].

Exploitation

An attacker must have administrative access to the /cms/admin/ panel, as the vulnerable page requires authentication. The attacker can inject SQL payloads via the id parameter. For example, the payload 11' and length(database())=6 --+ can be used to perform boolean-based blind SQL injection, where differences in response content length indicate true/false conditions [1]. The attacker can iteratively extract database information such as the database name (cms_db).

Impact

Successful exploitation allows an authenticated attacker to extract sensitive information from the database, including the database name and potentially other data such as user credentials or client records. The attack is limited to information disclosure via blind SQL injection; it does not directly enable remote code execution or privilege escalation beyond the existing admin privileges.

Mitigation

As of the publication date (2022-05-12), no official patch or fixed version has been released by the vendor. Users are advised to implement input validation and parameterized queries for the id parameter, or restrict access to the admin panel to trusted users only. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.