Login Sign Up

CVE-2022-28417

9.8 CRITICAL
SQL Injection

📋 TL;DR

CVE-2022-28417 is a critical SQL injection vulnerability in Home Owners Collection Management System v1.0 that allows attackers to execute arbitrary SQL commands via the delete_phase function. This affects all users running the vulnerable version of this web application. Successful exploitation could lead to complete database compromise.

💻 Affected Systems

Products:
  • Home Owners Collection Management System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web application specifically at /hocms/classes/Master.php?f=delete_phase endpoint

📦 What is this software?

Home Owners Collection Management System by Home Owners Collection Management System Project

View all CVEs affecting Home Owners Collection Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database takeover allowing data theft, modification, or deletion; potential remote code execution if database functions permit; full system compromise.

🟠

Likely Case

Unauthorized access to sensitive homeowner data including personal information, financial records, and collection details; database manipulation or destruction.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries; potential for error messages revealing database structure but no data compromise.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public proof-of-concept available on GitHub; SQL injection via GET parameter is straightforward to exploit

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in Master.php delete_phase function and validate all user inputs.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Input Validation Filter

all

Add input validation to sanitize parameters before processing in Master.php

🧯 If You Can't Patch

  • Block external access to /hocms/classes/Master.php endpoint at network firewall level
  • Implement strict database user permissions with least privilege principle

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads: /hocms/classes/Master.php?f=delete_phase&id=1' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Verify that parameterized queries are implemented and SQL injection payloads no longer work

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple requests to Master.php with SQL syntax in parameters
  • Database error logs showing unexpected queries

Network Indicators:

  • HTTP requests containing SQL keywords (SELECT, UNION, etc.) to the vulnerable endpoint
  • Unusual database connection patterns from web server

SIEM Query:

source="web_logs" AND uri="/hocms/classes/Master.php" AND (query="*SELECT*" OR query="*UNION*" OR query="*OR*1*" OR query="*'--*" OR query="*;--*")

📊 Metadata

CVE ID: CVE-2022-28417
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: April 21, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28417, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)