Login Sign Up

CVE-2022-23898

9.8 CRITICAL
SQL Injection

📋 TL;DR

MCMS v5.2.5 contains a SQL injection vulnerability in the categoryId parameter that allows attackers to execute arbitrary SQL commands. This affects all systems running the vulnerable version of MCMS content management software. Attackers can potentially read, modify, or delete database contents.

💻 Affected Systems

Products:
  • MCMS (MingSoft Content Management System)
Versions: v5.2.5 specifically mentioned, potentially earlier versions with same code
Operating Systems: All platforms running MCMS
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in IContentDao.xml file's categoryId parameter handling

📦 What is this software?

Mcms by Mingsoft

View all CVEs affecting Mcms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, privilege escalation, or database manipulation leading to content modification or user data exposure.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via categoryId parameter is straightforward to exploit with basic SQL knowledge

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v5.2.6 or later

Vendor Advisory: https://github.com/ming-soft/MCMS/issues/62

Restart Required: Yes

Instructions:

1. Backup database and application files. 2. Download latest MCMS version from official repository. 3. Replace vulnerable files with patched versions. 4. Restart web application server. 5. Verify fix by testing categoryId parameter.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to reject malicious categoryId values

Implement parameterized queries or prepared statements for all categoryId database interactions

WAF Rule

all

Deploy web application firewall rules to block SQL injection patterns

Add WAF rule: deny requests containing SQL keywords in categoryId parameter

🧯 If You Can't Patch

  • Implement strict input validation and parameterized queries for categoryId parameter
  • Restrict database user permissions to minimum required privileges

🔍 How to Verify

Check if Vulnerable:

Test categoryId parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check MCMS version in admin panel or application configuration files

Verify Fix Applied:

Test categoryId parameter with same payloads after patch - should return error or no data

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed login attempts after categoryId manipulation
  • Database queries with unusual syntax from web server IP

Network Indicators:

  • HTTP requests with SQL keywords in categoryId parameter
  • Abnormal database query patterns from application server

SIEM Query:

source="web_logs" AND (categoryId CONTAINS "UNION" OR categoryId CONTAINS "SELECT" OR categoryId CONTAINS "OR 1=1")

📊 Metadata

CVE ID: CVE-2022-23898
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 3, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23898, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)