CVE-2022-44860

Vulnerability

Automotive Shop Management System v1.0, a PHP-based application from SourceCodester, contains a SQL injection vulnerability in the /admin/transactions/update_status.php endpoint. The id parameter is directly concatenated into SQL queries without proper sanitization or parameterization, allowing an authenticated attacker to inject arbitrary SQL commands. The vulnerability is present in the version distributed via the official SourceCodester link and was tested on XAMPP with PHP 8.1 [1].

Exploitation

An attacker must first authenticate with valid credentials; the default super admin account admin/admin123 is provided in the reference [1]. Once logged in, the attacker sends a crafted GET request to /asms/admin/transactions/update_status.php?id= with a malicious payload. The reference demonstrates a time-based blind injection using updatexml() to extract database metadata, such as the database name (asms_db). The attack requires no special network position beyond access to the web application [1].

Impact

Successful exploitation allows an authenticated attacker to read arbitrary data from the database, including sensitive information such as user credentials, transaction records, and other application data. The injection can be extended to extract the entire database contents, leading to a complete compromise of confidentiality. The attacker does not gain direct code execution but can leverage further SQL injection techniques to escalate privileges or modify data [1].

Mitigation

As of the publication date (2022-11-25), no official patch or fixed version has been released by the vendor. Users are advised to apply input validation and parameterized queries to the id parameter in /admin/transactions/update_status.php. Until a fix is available, restricting access to the admin panel and using a web application firewall (WAF) may reduce risk. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog [1].