CVE-2022-31350 – Online Car Wash Booking System v1.0 contains a ... (How to Fix)

Q: What is the severity of CVE-2022-31350?

CVE-2022-31350 has a CVSS score of 9.8 (CRITICAL). Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the admin vehicle management interface that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers can potentially access, modify, or delete database contents.

📋 TL;DR

Online Car Wash Booking System v1.0 contains a SQL injection vulnerability in the admin vehicle management interface that allows attackers to execute arbitrary SQL commands. This affects all installations of this specific software version. Attackers can potentially access, modify, or delete database contents.

💻 Affected Systems

Products:

Online Car Wash Booking System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Requires admin panel access, but SQL injection is unauthenticated once the endpoint is reached.

📦 What is this software?

Online Car Wash Booking System by Oretnom23

View all CVEs affecting Online Car Wash Booking System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including admin credential theft, data exfiltration, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential system takeover through admin credential extraction.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only information disclosure.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple SQL injection via id parameter, trivial to exploit with standard SQLi tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Consider replacing with alternative software or implementing custom fixes.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF with SQL injection protection rules to block exploitation attempts.

Input Validation Filter

all

Add input validation to sanitize the id parameter before processing.

Modify manage_vehicle.php to validate id parameter as integer

🧯 If You Can't Patch

Block access to /ocwbs/admin/vehicles/manage_vehicle.php at network perimeter
Implement strict database user permissions with least privilege principle

🔍 How to Verify

Check if Vulnerable:

Test with SQL injection payloads like: /ocwbs/admin/vehicles/manage_vehicle.php?id=1' OR '1'='1

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads after implementing fixes to ensure they are blocked.

📡 Detection & Monitoring

Log Indicators:

SQL syntax errors in web server logs
Multiple requests to manage_vehicle.php with suspicious parameters

Network Indicators:

HTTP requests containing SQL keywords like UNION, SELECT, OR 1=1

SIEM Query:

web.url:*manage_vehicle.php* AND (web.param:*OR* OR web.param:*UNION* OR web.param:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-31350

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2022

Last Updated: February 18, 2026

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-car-wash-booking-system/SQLi-7.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/online-car-wash-booking-system/SQLi-7.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31350, you might also want to check these: