Login Sign Up

CVE-2022-26631

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2022-26631 is a critical SQL injection vulnerability in Automatic Question Paper Generator v1.0 that allows attackers to execute arbitrary SQL commands via the 'id' GET parameter. This affects all users running the vulnerable version of this PHP web application. Attackers can potentially extract, modify, or delete database contents.

💻 Affected Systems

Products:
  • Automatic Question Paper Generator System
Versions: v1.0
Operating Systems: Any OS running PHP web server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the default installation with no configuration changes required for exploitation.

📦 What is this software?

Automatic Question Paper Generator by Automatic Question Paper Generator Project

View all CVEs affecting Automatic Question Paper Generator →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Database information disclosure including user credentials, sensitive application data, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and WAF protection blocking SQL injection attempts.

🌐 Internet-Facing: HIGH - Web application accessible from internet with unauthenticated SQL injection vulnerability.
🏢 Internal Only: MEDIUM - Still significant risk from internal threats or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Time-based blind SQL injection requires automated tools but exploit scripts are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch exists. Replace vulnerable code with parameterized queries and input validation.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection rules to block exploitation attempts.

Input Validation Filter

all

Add server-side validation to reject malicious 'id' parameter values.

// PHP example: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

  • Isolate the application behind strict network segmentation and access controls.
  • Implement database-level protections: minimal privileges, query logging, and regular backups.

🔍 How to Verify

Check if Vulnerable:

Test with SQL injection payloads on the 'id' parameter: /page.php?id=1' AND SLEEP(5)--

Check Version:

Check application version in source code or admin panel.

Verify Fix Applied:

Verify parameterized queries are implemented and input validation rejects SQL injection attempts.

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in web server logs
  • Unusual database query patterns
  • Multiple requests with SQL keywords in parameters

Network Indicators:

  • HTTP requests containing SQL injection payloads in GET parameters
  • Unusual timing delays in responses

SIEM Query:

web.url:*id=* AND (web.url:*SLEEP* OR web.url:*WAITFOR* OR web.url:*UNION* OR web.url:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-26631
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 18, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26631, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)