Login Sign Up

CVE-2022-30490

9.8 CRITICAL
SQL Injection

📋 TL;DR

Badminton Center Management System V1.0 contains an SQL injection vulnerability in the court rental status update functionality. Attackers can exploit this to execute arbitrary SQL commands, potentially compromising the database. This affects all installations of the vulnerable software version.

💻 Affected Systems

Products:
  • Badminton Center Management System
Versions: V1.0
Operating Systems: Any OS running PHP with database backend
Default Config Vulnerable: ⚠️ Yes
Notes: Requires PHP environment with database connectivity; vulnerable in default installation.

📦 What is this software?

Badminton Center Management System by Badminton Center Management System Project

View all CVEs affecting Badminton Center Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data manipulation, or full system takeover via SQL injection to execute system commands.

🟠

Likely Case

Unauthorized data access, modification of booking records, or extraction of sensitive information like user credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access to /bcms/admin/ path; SQL injection via 'id' parameter is straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: http://badminton.com

Restart Required: No

Instructions:

No official patch available. Replace vulnerable code with parameterized queries in /bcms/admin/court_rentals/update_status.php.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to ensure 'id' parameter contains only numeric values.

Modify update_status.php to include: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

Web Application Firewall

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Configure WAF to block requests containing SQL keywords to /bcms/admin/court_rentals/update_status.php

🧯 If You Can't Patch

  • Restrict access to /bcms/admin/ directory to authorized IP addresses only
  • Implement database user with minimal privileges for the application

🔍 How to Verify

Check if Vulnerable:

Test /bcms/admin/court_rentals/update_status.php?id=1' OR '1'='1 and observe database errors or unexpected behavior

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Attempt SQL injection payloads and verify they are rejected or sanitized without database errors

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts followed by access to vulnerable endpoint

Network Indicators:

  • HTTP requests to /bcms/admin/court_rentals/update_status.php with SQL keywords in parameters

SIEM Query:

source="web_logs" AND uri="/bcms/admin/court_rentals/update_status.php" AND (query="*OR*" OR query="*UNION*" OR query="*SELECT*" OR query="*'*'")

📊 Metadata

CVE ID: CVE-2022-30490
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30490, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)