CVE-2022-45010

Vulnerability

The Simple Phone Book/Directory Web App v1.0 by bakhtiar [1] contains a SQL injection vulnerability in the editid GET parameter at /PhoneBook/edit.php. The application fails to sanitize user input, allowing an attacker to inject arbitrary SQL commands. The vulnerability is present in version 1.0 [1].

Exploitation

An attacker can exploit this vulnerability by sending a crafted HTTP request with a SQL injection payload in the editid parameter. The reference [1] demonstrates that sending a single quote (') causes an SQL statement error, while a double single quote ('') produces a successful page display, indicating faulty filtering. A time-based blind SQL injection payload using SLEEP(10) confirms the vulnerability can be exploited to extract data [1]. No authentication is required [1].

Impact

Successful exploitation allows an attacker to read, modify, or delete arbitrary data from the underlying database. This can lead to disclosure of sensitive information (e.g., phone numbers, user credentials), data corruption, or potential privilege escalation depending on database privileges. The impact is high due to potential data breach and loss of integrity [1].

Mitigation

As of the published date (2022-12-07), no official patch or fixed version has been released [1]. Developers should use parameterized queries or prepared statements to prevent SQL injection. Until a fix is available, restrict access to the vulnerable endpoint and implement input validation. This CVE is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog [1].