CVE-2022-44858
Description
Automotive Shop Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /asms/products/view_product.php.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Automotive Shop Management System v1.0 has a SQL injection vulnerability in the id parameter of view_product.php, allowing unauthenticated attackers to extract database contents.
Vulnerability
Automotive Shop Management System v1.0, a PHP/oop application by oretnom23, contains a SQL injection vulnerability in the view_product.php script. The id parameter passed via GET request at /asms/products/view_product.php?id= is not properly sanitized, allowing an attacker to inject arbitrary SQL commands [1]. The vulnerability was confirmed on the application built using XAMPP with PHP 8.1 [1]. Any version v1.0 of the software is affected.
Exploitation
The attacker does not need authentication to exploit the vulnerability; however, the reference payload was provided from the perspective of a logged-in admin (admin/admin123) [1]. The exploit is performed by sending a crafted GET request to the vulnerable endpoint with a malicious id parameter. For example, the payload id=7' and updatexml(1,concat(0x7e,(select database()),0x7e),0)--+ demonstrates time-based blind SQL injection that leaks database information via error messages [1]. The attacker can leverage tools like SQLMap or manually craft injection strings to extract data.
Impact
Successful exploitation allows an attacker to extract sensitive information from the database, such as user credentials, application data, and database schema. The impact is limited to information disclosure (confidentiality breach) as the injection is error-based or possibly boolean-blind; it does not directly lead to remote code execution or privilege escalation beyond what the database user permits [1]. The database name asms_db was revealed as a proof of concept [1].
Mitigation
As of the publication date (2022-11-25), no official patch or fixed version has been released by the vendor. The only remediation is to manually sanitize the id parameter by using parameterized queries or prepared statements in the view_product.php script. Users should apply input validation and escape user-supplied data before including it in SQL queries. The application source code is available on SourceCodester [1]; administrators can modify the code themselves or wait for an update from the vendor.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Automotive Shop Management System/Automotive Shop Management Systemdescription
- Range: = 1.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1News mentions
0No linked articles in our index yet.