CVE-2022-31327 – Online Ordering System version 2.3.2 contains a... (How to Fix)

Q: What is the severity of CVE-2022-31327?

CVE-2022-31327 has a CVSS score of 9.8 (CRITICAL). Online Ordering System version 2.3.2 contains a SQL injection vulnerability in the products parameter that allows attackers to execute arbitrary SQL commands. This affects all systems running this vulnerable version of the software. Attackers can potentially access, modify, or delete database content through this flaw.

📋 TL;DR

Online Ordering System version 2.3.2 contains a SQL injection vulnerability in the products parameter that allows attackers to execute arbitrary SQL commands. This affects all systems running this vulnerable version of the software. Attackers can potentially access, modify, or delete database content through this flaw.

💻 Affected Systems

Products:

Online Ordering System By janobe

Versions: 2.3.2

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the web application component accessible via HTTP.

📦 What is this software?

Online Ordering System by Online Ordering System Project

View all CVEs affecting Online Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via subsequent attacks.

🟠

Likely Case

Unauthorized access to sensitive customer data, order information, and potential privilege escalation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-critical data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending crafted HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests.

Input Validation

all

Implement server-side input validation to sanitize the 'id' parameter.

🧯 If You Can't Patch

Isolate the system from the internet and restrict access to trusted networks only.
Implement strict database permissions to limit potential damage from SQL injection.

🔍 How to Verify

Check if Vulnerable:

Send a test request to /ordering/index.php?q=products&id=1' and check for SQL errors in response.

Check Version:

Check the software version in the admin panel or configuration files.

Verify Fix Applied:

Test with SQL injection payloads and verify they are blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in web server logs
Multiple requests with SQL-like patterns in parameters

Network Indicators:

HTTP requests containing SQL keywords in the 'id' parameter

SIEM Query:

source="web_server" AND (url="*ordering/index.php*" AND (param="*id=*'*" OR param="*id=*%27*"))

📊 Metadata

CVE ID: CVE-2022-31327

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/janobe/online-ordering-system/SQLi-1.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/janobe/online-ordering-system/SQLi-1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31327, you might also want to check these: