Login Sign Up

CVE-2022-27304

9.8 CRITICAL
SQL Injection

📋 TL;DR

Student Grading System v1.0 contains a SQL injection vulnerability in the user parameter that allows attackers to execute arbitrary SQL commands. This affects all users of this specific software version. Attackers could potentially access, modify, or delete sensitive student grading data.

💻 Affected Systems

Products:
  • Student Grading System
Versions: v1.0
Operating Systems: Any OS running the application
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific vendor implementation; other grading systems may not be vulnerable

📦 What is this software?

Student Grading System by Oretnom23

View all CVEs affecting Student Grading System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining

🟠

Likely Case

Unauthorized access to student records, grade manipulation, and potential privilege escalation

🟢

If Mitigated

Limited impact with proper input validation and database permissions in place

🌐 Internet-Facing: HIGH - Web application with SQL injection typically exposed to internet
🏢 Internal Only: MEDIUM - Still significant risk if accessible on internal network

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection via user parameter is straightforward to exploit with common tools like sqlmap

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement proper input validation and use parameterized queries/prepared statements

Modify application code to use prepared statements: $stmt = $pdo->prepare('SELECT * FROM users WHERE username = ?'); $stmt->execute([$user]);

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection protection rules

Install and configure ModSecurity with OWASP Core Rule Set
Enable SQL injection detection rules

🧯 If You Can't Patch

  • Isolate the system on a segmented network with strict access controls
  • Implement database-level controls: minimal privileges, stored procedures, and regular auditing

🔍 How to Verify

Check if Vulnerable:

Test user parameter with SQL injection payloads: ' OR '1'='1

Check Version:

Check application version in admin panel or about page

Verify Fix Applied:

Test with same payloads and verify no SQL errors or unexpected behavior

📡 Detection & Monitoring

Log Indicators:

  • SQL syntax errors in application logs
  • Unusual database queries from web application
  • Multiple failed login attempts with SQL-like patterns

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, etc.) in parameters
  • Abnormal database connection patterns from web server

SIEM Query:

source="web_logs" AND ("' OR" OR "UNION SELECT" OR "--" OR ";--")

📊 Metadata

CVE ID: CVE-2022-27304
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 5, 2022
Last Updated: September 19, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-27304, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)