CVE-2022-36272

Vulnerability

CVE-2022-36272 is a SQL injection vulnerability in Mingsoft MCMS 5.2.8. The flaw resides in the /mdiy/page/verify endpoint, where the fieldName parameter is passed directly to SQL queries without proper sanitization. This occurs in the validated method, which constructs a WHERE clause using user-supplied input [2].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request to the vulnerable URI with a malicious fieldName parameter. No authentication is required, as the endpoint is accessible to unauthenticated users. The injection allows the attacker to manipulate the SQL query, potentially leading to time-based blind SQL injection attacks (e.g., using SLEEP() functions) [2].

Impact

Successful exploitation enables an attacker to execute arbitrary SQL commands, compromising the confidentiality and integrity of the database. This can result in data theft, unauthorized modification of records, or complete database compromise. The impact is severe, as the attacker may gain full administrative access to the application backend [1].

Mitigation

As of the publication date, no official patch has been released by Mingsoft. Users are advised to either apply input validation filters or upgrade to a newer version if available. The vulnerability has been publicly disclosed, increasing the risk of exploitation [1].