CVE-2022-42232

Vulnerability

Simple Cold Storage Management System v1.0, built with PHP (xmapp-php8.1) and available from sourcecodester.com, contains a SQL injection vulnerability in the /csms/classes/Master.php script when processing the delete_storage action via the id parameter [1]. The vulnerable endpoint is accessed with f=delete_storage. An authenticated user with any role can exploit this because the vulnerability lies in a POST parameter used to delete storage records; the application directly concatenates the id value into SQL queries without sanitization or parameterized statements [1]. Version 1.0 only is mentioned; no other versions are known.

Exploitation

An attacker must be authenticated—the reference uses the Super Admin account admin/admin123—but any authenticated session likely has access to this endpoint [1]. The attacker sends a POST request to /csms/classes/Master.php?f=delete_storage with a crafted id parameter. The provided proof-of-concept payload uses an error-based SQL injection technique: id=1' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ [1]. This causes the application to generate an XML parsing error that leaks the database name (csms_db) in the error message. Other database values can be extracted by modifying the subquery. No special network position or race condition is required; the attack is straightforward if the attacker can reach the web interface.

Impact

Successful exploitation allows an attacker to extract arbitrary data from the database via error-based inference [1]. The impact is primarily information disclosure—database contents, including user credentials or other sensitive data—because the SQL injection is blind only in the sense that error messages reveal data. The attacker does not gain direct file write or remote code execution from this particular injection point, but the full database dump could expose authentication tokens or other secrets. The privilege level required is authentication with access to the delete_storage functionality; the scope is limited to the database but could include cross-user data.

Mitigation

No official fix has been released for Simple Cold Storage Management System v1.0 as of the publication date (2022-10-14) [1]. The vendor (oretnom23) has not issued a patch; the software may be abandoned or unmaintained. Users should immediately restrict access to the application, disable the vulnerable endpoint if possible, and migrate to an alternative solution that uses parameterized queries or an ORM. This CVE is not listed on the KEV catalog as of now. The only workaround is to manually modify the Master.php code to use prepared statements for the delete_storage SQL query.