Login Sign Up

CVE-2022-31357

9.8 CRITICAL
SQL Injection

📋 TL;DR

Online Ordering System v2.3.2 contains a SQL injection vulnerability in the inventory management interface that allows attackers to execute arbitrary SQL commands. This affects all systems running this specific version of the software. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • Online Ordering System
Versions: v2.3.2
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the /ordering/admin/inventory/index.php endpoint to be accessible.

📦 What is this software?

Online Ordering System by Online Ordering System Project

View all CVEs affecting Online Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive data including customer information, order details, and administrative credentials stored in the database.

🟢

If Mitigated

Limited impact with proper input validation and parameterized queries preventing SQL injection.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access to the inventory management interface. Public proof-of-concept demonstrates SQL injection via the 'id' parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Unknown

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Implement proper input validation and use parameterized queries or prepared statements in the affected PHP file.

Modify /ordering/admin/inventory/index.php to use prepared statements with PDO or mysqli

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection protection rules to block malicious requests.

🧯 If You Can't Patch

  • Restrict access to the /ordering/admin/ directory to trusted IP addresses only
  • Disable or remove the vulnerable inventory management interface if not essential

🔍 How to Verify

Check if Vulnerable:

Check if the system is running Online Ordering System v2.3.2 and if the /ordering/admin/inventory/index.php?view=edit&id= endpoint exists.

Check Version:

Check the software version in the application interface or configuration files.

Verify Fix Applied:

Test the vulnerable endpoint with SQL injection payloads to confirm they are blocked or properly handled.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts to admin interface
  • Requests to /ordering/admin/inventory/index.php with suspicious 'id' parameters

Network Indicators:

  • HTTP requests containing SQL keywords like UNION, SELECT, INSERT in URL parameters

SIEM Query:

source="web_logs" AND url="/ordering/admin/inventory/index.php" AND (param="id" AND value CONTAINS "' OR ")

📊 Metadata

CVE ID: CVE-2022-31357
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 17, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31357, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)