CVE-2022-31345 – Online Car Wash Booking System v1.0 contains a ... (How to Fix)

Q: What is the severity of CVE-2022-31345?

CVE-2022-31345 has a CVSS score of 9.8 (CRITICAL). Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the admin panel's user management page. Attackers can exploit this to execute arbitrary SQL commands, potentially compromising the entire database. This affects all deployments of version 1.0 with the vulnerable endpoint exposed.

📋 TL;DR

Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the admin panel's user management page. Attackers can exploit this to execute arbitrary SQL commands, potentially compromising the entire database. This affects all deployments of version 1.0 with the vulnerable endpoint exposed.

💻 Affected Systems

Products:

Online Car Wash Booking System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access, but SQL injection can potentially bypass authentication.

📦 What is this software?

Online Car Wash Booking System by Oretnom23

View all CVEs affecting Online Car Wash Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data exfiltration, and potential remote code execution via database functions.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential administrative account takeover.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only error messages or partial data exposure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit requires access to admin panel, but SQL injection may allow authentication bypass.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider migrating to alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Web Application Firewall

all

Deploy WAF with SQL injection rules to block malicious requests

Input Validation

all

Implement parameterized queries and input sanitization for the vulnerable endpoint

🧯 If You Can't Patch

Restrict access to admin panel using IP whitelisting and strong authentication
Implement database-level controls: minimal privileges, query logging, and regular backups

🔍 How to Verify

Check if Vulnerable:

Test /ocwbs/admin/?page=user/manage_user&id= parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Verify parameterized queries are implemented and test with SQL injection payloads

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts followed by successful admin access
Requests with SQL keywords in URL parameters

Network Indicators:

HTTP requests to vulnerable endpoint with SQL payloads
Unusual database connections from web server

SIEM Query:

web.url:*manage_user* AND (web.param:*OR* OR web.param:*UNION* OR web.param:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-31345

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2022

Last Updated: February 18, 2026

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-car-wash-booking-system/SQLi-2.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-car-wash-booking-system/SQLi-2.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31345, you might also want to check these: