CVE-2022-30412

Vulnerability

Covid-19 Travel Pass Management System v1.0, available from SourceCodester, contains a SQL injection vulnerability in the file /ctpms/admin/individuals/update_status.php. The id parameter is directly concatenated into SQL queries without sanitization, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in version 1.0 as distributed by oretnom23 [1].

Exploitation

An attacker must first authenticate to the admin panel using default credentials (admin/admin123). Once logged in, a crafted GET request to /ctpms/admin/individuals/update_status.php?id= with a malicious SQL payload can be sent. The reference demonstrates a payload using ' and length(database()) =8--+ to determine the database name length, with response length differences indicating success [1]. No special network position is required beyond access to the web application.

Impact

Successful exploitation allows the attacker to extract sensitive information from the database, such as the database name (ctpms_db), and potentially other tables containing user credentials, travel pass data, or other confidential records. The attack does not require elevated privileges beyond the initial admin login, and the impact is primarily information disclosure [1].

Mitigation

As of the publication date (2022-05-13), no official patch or updated version has been released by the vendor. Users should apply input validation and parameterized queries to the vulnerable endpoint, or restrict access to the admin panel. If the application is no longer maintained, consider replacing it with a secure alternative [1].