CVE-2022-37178

Vulnerability

CVE-2022-37178 is a SQL injection vulnerability in 72crm version 9.0, located in the Task.php controller at line 506 within the application\work\controller directory. The getDateList function directly concatenates user-supplied start_time and stop_time parameters into a SQL query without proper sanitization or parameterization, as shown in the vulnerable code [1]. This affects the "View the task calendar" feature after authentication into the backend [1].

Exploitation

An attacker must first authenticate to the 72crm backend, then navigate to the task calendar view and intercept the request. By injecting SQL payloads into the start_time or stop_time parameters, the attacker can execute arbitrary SQL statements. The provided proof-of-concept shows a time-based blind injection using sleep(2) or error-based injection using updatexml() to extract database information [1]. No special privileges beyond backend access are required, and the attack can be carried out by any authenticated user [1].

Impact

Successful exploitation allows an attacker to extract sensitive data from the database, such as the database name and version [1]. Depending on the database permissions, the attacker may be able to enumerate tables, read user credentials, or execute administrative operations, leading to a full compromise of the application's data confidentiality and integrity.

Mitigation

72crm has not released an official patch for version 9.0 at the time of publication, and the issue was reported on GitHub without a fix [1]. As a workaround, users should implement input validation and use parameterized queries for the start_time and stop_time parameters in Task.php. If possible, upgrade to a later version of 72crm if a fix becomes available. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.