Login Sign Up

CVE-2022-24602

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2022-24602 is a SQL injection vulnerability in Luocms v2.0's news_mod.php admin endpoint that allows attackers to execute arbitrary SQL commands. This affects all Luocms v2.0 installations with the vulnerable file present. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:
  • Luocms
Versions: v2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires access to /admin/news/news_mod.php endpoint. Default installations are vulnerable.

📦 What is this software?

Luocms by Luocms Project

View all CVEs affecting Luocms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized database access allowing extraction of sensitive information like user credentials, admin data, or content manipulation.

🟢

If Mitigated

Limited impact if proper input validation and parameterized queries are implemented, restricting SQL command execution.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access or authentication bypass. SQL injection techniques are well-documented and easily weaponized.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

1. Check for official patch from Luocms vendor. 2. If no patch, implement parameterized queries in news_mod.php. 3. Validate and sanitize all user inputs. 4. Apply input validation filters.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize SQL injection attempts in news_mod.php

# Add input validation in PHP code before SQL execution
# Example: $input = filter_var($_POST['param'], FILTER_SANITIZE_STRING);

WAF Rule Implementation

all

Deploy web application firewall rules to block SQL injection patterns

# Example ModSecurity rule: SecRule ARGS "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Restrict access to /admin/news/news_mod.php using IP whitelisting or authentication hardening
  • Implement database user with minimal privileges (read-only if possible) for the application

🔍 How to Verify

Check if Vulnerable:

Check if Luocms v2.0 is installed and /admin/news/news_mod.php exists without proper input validation.

Check Version:

Check Luocms version in configuration files or admin panel: grep -r 'version' /path/to/luocms/ or check admin dashboard

Verify Fix Applied:

Test the news_mod.php endpoint with SQL injection payloads to confirm they're blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in logs
  • Multiple failed login attempts to admin panel
  • Unexpected database queries from news_mod.php

Network Indicators:

  • SQL injection patterns in HTTP requests to news_mod.php
  • Unusual database connection patterns

SIEM Query:

source="web_logs" AND uri="/admin/news/news_mod.php" AND (message="SQL" OR message="syntax" OR message="union" OR message="select")

📊 Metadata

CVE ID: CVE-2022-24602
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: March 10, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-24602, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)