CVE-2022-28437 – Baby Care System v1.0 contains a SQL injection ... (How to Fix)

Q: What is the severity of CVE-2022-28437?

CVE-2022-28437 has a CVSS score of 9.8 (CRITICAL). Baby Care System v1.0 contains a SQL injection vulnerability in the admin panel that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers could potentially access, modify, or delete database content.

📋 TL;DR

Baby Care System v1.0 contains a SQL injection vulnerability in the admin panel that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Baby Care System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access path /admin/uesrs.php

📦 What is this software?

Baby Care System by Janobe

View all CVEs affecting Baby Care System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive data including user information, admin credentials, and system configuration.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to admin interface but SQL injection is straightforward once accessed

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider workarounds or replacing the software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to filter SQL injection attempts

Modify /admin/uesrs.php to validate and sanitize userid parameter

Web Application Firewall

all

Deploy WAF with SQL injection protection rules

Configure WAF to block requests containing SQL keywords to /admin/uesrs.php

🧯 If You Can't Patch

Restrict access to admin panel using IP whitelisting
Implement database user with minimal required permissions

🔍 How to Verify

Check if Vulnerable:

Test /admin/uesrs.php?action=type&userrole=Admin&userid=3' with SQL injection payloads

Check Version:

Check software documentation or configuration files for version information

Verify Fix Applied:

Test same endpoint with SQL injection payloads and verify they are rejected

📡 Detection & Monitoring

Log Indicators:

Multiple failed SQL queries
Unusual database access patterns from admin panel
SQL syntax errors in application logs

Network Indicators:

HTTP requests to /admin/uesrs.php containing SQL keywords
Unusual database port traffic from web server

SIEM Query:

source="web_logs" AND uri="/admin/uesrs.php" AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "INSERT")

📊 Metadata

CVE ID: CVE-2022-28437

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: April 21, 2022

Last Updated: November 18, 2025

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/janobe/baby-care-system/SQLi-18.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/janobe/baby-care-system/SQLi-18.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28437, you might also want to check these: