CVE-2022-27165 – CVE-2022-27165 is a critical SQL injection vuln... (How to Fix)

Q: What is the severity of CVE-2022-27165?

CVE-2022-27165 has a CVSS score of 9.8 (CRITICAL). CVE-2022-27165 is a critical SQL injection vulnerability in CSZ CMS 1.2.2 that allows attackers to execute arbitrary SQL commands via the cszcms_admin_Plugin_manager_setstatus endpoint. This affects all systems running vulnerable versions of CSZ CMS, particularly those with administrative interfaces exposed. Successful exploitation could lead to complete database compromise.

📋 TL;DR

CVE-2022-27165 is a critical SQL injection vulnerability in CSZ CMS 1.2.2 that allows attackers to execute arbitrary SQL commands via the cszcms_admin_Plugin_manager_setstatus endpoint. This affects all systems running vulnerable versions of CSZ CMS, particularly those with administrative interfaces exposed. Successful exploitation could lead to complete database compromise.

💻 Affected Systems

Products:

CSZ CMS

Versions: 1.2.2 and possibly earlier versions

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: Requires administrative access to reach the vulnerable endpoint, but SQL injection can bypass authentication if combined with other vulnerabilities.

📦 What is this software?

Csz Cms by Cszcms

View all CVEs affecting Csz Cms →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database takeover allowing data theft, modification, or deletion; potential remote code execution through database functions; full system compromise.

🟠

Likely Case

Database information disclosure including user credentials, sensitive content, and configuration data; potential privilege escalation to administrative access.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries; database access restricted to read-only operations.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is typically accessible via web interface, making internet-facing installations particularly vulnerable to automated attacks.

🏢 Internal Only: MEDIUM - Internal systems are still vulnerable but attack surface is reduced; requires internal network access or compromised credentials.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires administrative access to the plugin manager interface; SQL injection payloads are well-documented and easy to craft.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.2.3 or later

Vendor Advisory: https://github.com/cskaza/cszcms/issues/41

Restart Required: No

Instructions:

1. Backup your database and files. 2. Download latest CSZ CMS version from official repository. 3. Replace vulnerable files with patched versions. 4. Verify plugin manager functionality works correctly.

🔧 Temporary Workarounds

Input Validation Filter

all

Add input validation to sanitize plugin manager parameters before processing

Modify cszcms_admin_Plugin_manager_setstatus function to validate and sanitize all input parameters using PHP filter functions

Access Restriction

linux

Restrict access to admin interface to trusted IP addresses only

Add .htaccess rules to limit /admin/ directory access: Order Deny,Allow\nDeny from all\nAllow from 192.168.1.0/24

🧯 If You Can't Patch

Implement web application firewall (WAF) rules to block SQL injection patterns targeting the plugin manager endpoint
Disable or remove the plugin manager functionality if not required for operations

🔍 How to Verify

Check if Vulnerable:

Check if running CSZ CMS version 1.2.2 or earlier; review admin/plugins.php file for lack of parameterized queries in setstatus function

Check Version:

Check includes/version.php or look for version information in admin dashboard

Verify Fix Applied:

Verify version is 1.2.3 or later; test plugin manager functionality with SQL injection test payloads (safe, non-destructive)

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by plugin manager access
SQL syntax errors in web server logs from /admin/ paths

Network Indicators:

POST requests to /admin/plugins.php with SQL keywords in parameters
Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND (uri_path="/admin/plugins.php" AND (param="setstatus" AND value MATCH "(?i)(union|select|insert|update|delete|drop|create|alter)"))

📊 Metadata

CVE ID: CVE-2022-27165

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 12, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/cskaza/cszcms/issues/41 Exploit,Issue Tracking,Third Party Advisory
https://github.com/cskaza/cszcms/issues/41 Exploit,Issue Tracking,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27165, you might also want to check these: