CVE-2022-32004 – Badminton Center Management System v1.0 contain... (How to Fix)

Q: What is the severity of CVE-2022-32004?

CVE-2022-32004 has a CVSS score of 7.2 (HIGH). Badminton Center Management System v1.0 contains a SQL injection vulnerability in the product management module that allows attackers to execute arbitrary SQL commands via the 'id' parameter. This affects all deployments of the vulnerable software version. Attackers could potentially access, modify, or delete database content.

📋 TL;DR

Badminton Center Management System v1.0 contains a SQL injection vulnerability in the product management module that allows attackers to execute arbitrary SQL commands via the 'id' parameter. This affects all deployments of the vulnerable software version. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Badminton Center Management System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the admin interface at bcms/admin/products/manage_product.php

📦 What is this software?

Badminton Center Management System by Badminton Center Management System Project

View all CVEs affecting Badminton Center Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including credential theft, data exfiltration, and potential remote code execution if database permissions allow.

🟠

Likely Case

Unauthorized data access, privilege escalation, and potential data manipulation in the application database.

🟢

If Mitigated

Limited impact with proper input validation and database permission restrictions.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires admin access but SQL injection is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries or input validation in manage_product.php.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Input Validation

all

Add server-side validation to ensure 'id' parameter contains only numeric values.

🧯 If You Can't Patch

Restrict access to the admin interface using network segmentation or IP whitelisting.
Implement database user with minimal required permissions (principle of least privilege).

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads: bcms/admin/products/manage_product.php?id=1' OR '1'='1

Check Version:

Check software version in admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer execute and return appropriate error handling.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL errors in application logs
Multiple failed login attempts followed by SQL injection patterns

Network Indicators:

HTTP requests to manage_product.php with SQL keywords in parameters

SIEM Query:

web.url:*manage_product.php* AND (web.param.id:*OR* OR web.param.id:*UNION* OR web.param.id:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-32004

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/badminton-center-management-system/SQLi-16.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/oretnom23/badminton-center-management-system/SQLi-16.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32004, you might also want to check these: