Login Sign Up

CVE-2022-30835

7.2 HIGH
SQL Injection

📋 TL;DR

Wedding Management System v1.0 contains a SQL injection vulnerability in the budget.php admin endpoint that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific wedding management software version. Attackers can potentially access, modify, or delete database content through this vulnerability.

💻 Affected Systems

Products:
  • Wedding Management System
Versions: v1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the admin interface at /Wedding-Management/admin/budget.php with booking_id parameter

📦 What is this software?

Wedding Management System by Wedding Management System Project

View all CVEs affecting Wedding Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data destruction, authentication bypass, and potential server takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive wedding planning data, client information, financial records, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and WAF protection blocking malicious SQL patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin access but SQL injection is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in budget.php, validate booking_id parameter, and sanitize all user inputs.

🔧 Temporary Workarounds

WAF Rule Implementation

all

Deploy web application firewall rules to detect and block SQL injection attempts on the vulnerable endpoint

ModSecurity rule: SecRule ARGS:booking_id "@detectSQLi" "id:1001,phase:2,deny,status:403,msg:'SQLi attempt detected'"

Input Validation Filter

all

Add input validation to only accept numeric values for booking_id parameter

PHP code: if(!is_numeric($_GET['booking_id'])) { die('Invalid input'); }

🧯 If You Can't Patch

  • Block external access to /Wedding-Management/admin/ directory via firewall rules
  • Implement strong authentication controls and monitor admin account activity

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payload: /Wedding-Management/admin/budget.php?booking_id=1' OR '1'='1

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Test with same payload after fixes - should return error or no SQL execution

📡 Detection & Monitoring

Log Indicators:

  • Multiple failed SQL queries in application logs
  • Unusual database access patterns from admin interface
  • SQL syntax errors in web server logs for budget.php

Network Indicators:

  • HTTP requests to budget.php with SQL keywords in parameters
  • Unusual database connection spikes

SIEM Query:

source="web_logs" AND uri="*budget.php*" AND (param="*UNION*" OR param="*SELECT*" OR param="*OR '1'='1*")

📊 Metadata

CVE ID: CVE-2022-30835
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-30835, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)