CVE-2022-31343 – Online Car Wash Booking System v1.0 contains a ... (How to Fix)

Q: What is the severity of CVE-2022-31343?

CVE-2022-31343 has a CVSS score of 9.8 (CRITICAL). Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the admin booking details page that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers can potentially access, modify, or delete database content.

📋 TL;DR

Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the admin booking details page that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Online Car Wash Booking System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the admin interface at /ocwbs/admin/?page=bookings/view_details&id= parameter

📦 What is this software?

Online Car Wash Booking System by Oretnom23

View all CVEs affecting Online Car Wash Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data destruction, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Requires admin access to reach vulnerable endpoint, but SQL injection is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to only accept numeric IDs in the id parameter

Modify PHP code to validate: if(!is_numeric($_GET['id'])) { die('Invalid ID'); }

WAF Rule

all

Implement web application firewall rules to block SQL injection patterns

Add WAF rule: Detect and block SQL keywords in id parameter

🧯 If You Can't Patch

Isolate the system behind a reverse proxy with strict input validation
Implement network segmentation to limit database access from web server

🔍 How to Verify

Check if Vulnerable:

Test the id parameter with SQL injection payloads like: /ocwbs/admin/?page=bookings/view_details&id=1' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed parameter validation attempts
Admin access from unusual IPs

Network Indicators:

HTTP requests with SQL keywords in id parameter
Unusual database query patterns

SIEM Query:

source="web_logs" AND (uri="*bookings/view_details*" AND (param="*id=*'*" OR param="*id=* OR *" OR param="*id=* UNION *"))

📊 Metadata

CVE ID: CVE-2022-31343

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2022

Last Updated: February 18, 2026

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-car-wash-booking-system/SQLi-1.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-car-wash-booking-system/SQLi-1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31343, you might also want to check these: