CVE-2022-28433 – Baby Care System v1.0 contains a SQL injection ... (How to Fix)

Q: What is the severity of CVE-2022-28433?

CVE-2022-28433 has a CVSS score of 9.8 (CRITICAL). Baby Care System v1.0 contains a SQL injection vulnerability in the admin users management interface. Attackers can exploit this to execute arbitrary SQL commands, potentially compromising the entire database. This affects all deployments of Baby Care System v1.0.

📋 TL;DR

Baby Care System v1.0 contains a SQL injection vulnerability in the admin users management interface. Attackers can exploit this to execute arbitrary SQL commands, potentially compromising the entire database. This affects all deployments of Baby Care System v1.0.

💻 Affected Systems

Products:

Baby Care System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access, but SQL injection can potentially bypass authentication.

📦 What is this software?

Baby Care System by Janobe

View all CVEs affecting Baby Care System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized access to sensitive user data, administrative credentials theft, and database manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to admin interface, but SQL injection could potentially bypass authentication checks.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries and input validation in /admin/uesrs.php.

🔧 Temporary Workarounds

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Input Validation

all

Add server-side validation for userid parameter

🧯 If You Can't Patch

Restrict access to admin panel using IP whitelisting
Implement database user with minimal required permissions

🔍 How to Verify

Check if Vulnerable:

Test /admin/uesrs.php?action=display&value=Show&userid=1' with SQL injection payloads

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify parameterized queries are used and input validation rejects malicious payloads

📡 Detection & Monitoring

Log Indicators:

SQL error messages in logs
Multiple failed login attempts to admin panel
Unusual database queries

Network Indicators:

SQL keywords in HTTP requests to /admin/uesrs.php
Unusual database connection patterns

SIEM Query:

http.url:*uesrs.php* AND (http.uri:*userid=*'* OR http.uri:*userid=*--*)

📊 Metadata

CVE ID: CVE-2022-28433

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 21, 2022

Last Updated: November 18, 2025

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/janobe/baby-care-system/SQLi-16.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/janobe/baby-care-system/SQLi-16.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28433, you might also want to check these: