Login Sign Up

CVE-2022-30463

8.8 HIGH
SQL Injection

📋 TL;DR

Automotive Shop Management System v1.0 contains a SQL injection vulnerability in the delete_product function that allows attackers to execute arbitrary SQL commands. This affects all users running the vulnerable version of this automotive management software. Attackers can potentially access, modify, or delete database content through this flaw.

💻 Affected Systems

Products:
  • Automotive Shop Management System
Versions: v1.0
Operating Systems: Any OS running PHP with database support
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the specific version mentioned; other versions may also be vulnerable but not confirmed.

📦 What is this software?

Automotive Shop Management System by Automotive Shop Management System Project

View all CVEs affecting Automotive Shop Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential remote code execution if database functions allow it.

🟠

Likely Case

Unauthorized data access and manipulation of product information, customer data, and potentially administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only affecting non-sensitive data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to the delete_product function, which typically requires authentication. The GitHub reference shows specific SQL injection payloads.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries in the Master.php file.

🔧 Temporary Workarounds

Input Validation Implementation

all

Add input validation to sanitize user inputs before processing SQL queries

Edit /asms/classes/Master.php to implement parameterized queries or input filtering

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns

Configure WAF to detect and block SQL injection attempts to /asms/classes/Master.php

🧯 If You Can't Patch

  • Restrict network access to the application to trusted users only
  • Implement database user with minimal necessary permissions

🔍 How to Verify

Check if Vulnerable:

Test the /asms/classes/Master.php?f=delete_product endpoint with SQL injection payloads like ' OR '1'='1

Check Version:

Check application version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads after implementing fixes to ensure they are blocked

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in application logs
  • Multiple failed delete_product requests with suspicious parameters

Network Indicators:

  • HTTP requests to Master.php with SQL keywords in parameters
  • Unusual database query patterns

SIEM Query:

source="web_logs" AND uri="/asms/classes/Master.php" AND (param="delete_product") AND (query CONTAINS "UNION" OR query CONTAINS "SELECT" OR query CONTAINS "OR")

📊 Metadata

CVE ID: CVE-2022-30463
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: May 24, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30463, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)