CVE-2022-38922

Vulnerability

BluePage CMS versions through 3.9 process an insufficiently sanitized HTTP Header Cookie value that allows MySQL injection in the users-cookie-settings token using a time-based blind SLEEP payload [1][2]. The affected versions include all releases up to and including 3.9.

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request with a malicious Cookie header containing a SLEEP-based blind SQL injection payload in the users-cookie-settings token. No authentication or special network position is required; the attacker only needs to be able to send HTTP requests to a vulnerable BluePage CMS instance.

Impact

Successful exploitation allows an attacker to extract sensitive data from the database by observing time delays in the response. This leads to information disclosure, potentially including user credentials, session tokens, or other stored data. The compromise is at the database level, but the attacker does not gain direct file write or remote code execution from this vulnerability alone.

Mitigation

As of the publication date (2023-04-03), no patched version has been released. The vendor's website does not mention a fix [1]. Users should consider upgrading to a newer version if available, or implement a Web Application Firewall (WAF) rule to block suspicious Cookie headers containing SQL-like patterns. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.