Login Sign Up

CVE-2022-32007

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Complete Online Job Search System v1.0 allows attackers to execute arbitrary SQL commands via the 'id' parameter in the admin company edit page. This affects all organizations using this specific software version without proper input validation. Attackers could potentially access, modify, or delete database content.

💻 Affected Systems

Products:
  • Complete Online Job Search System
Versions: v1.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access path /eris/admin/ to be reachable.

📦 What is this software?

Complete Online Job Search System by Complete Online Job Search System Project

View all CVEs affecting Complete Online Job Search System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to data theft, data destruction, or full system takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized access to sensitive job seeker and employer data, including personal information and credentials.

🟢

If Mitigated

Limited impact with proper input validation, parameterized queries, and database permissions restricting damage scope.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires access to admin interface but SQL injection is straightforward via crafted 'id' parameter.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Implement parameterized queries in /eris/admin/company/index.php and validate/sanitize all user inputs.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint.

Input Validation Filter

all

Add server-side validation to only accept numeric values for the 'id' parameter.

Add PHP validation: if(!is_numeric($_GET['id'])) { die('Invalid input'); }

🧯 If You Can't Patch

  • Restrict access to /eris/admin/ directory using IP whitelisting or authentication requirements.
  • Implement database user with minimal permissions (read-only if possible) for the application.

🔍 How to Verify

Check if Vulnerable:

Test /eris/admin/company/index.php?view=edit&id=1' with SQL injection payloads and observe error responses or unexpected behavior.

Check Version:

Check software version in admin panel or configuration files.

Verify Fix Applied:

Attempt SQL injection tests and verify they are blocked or produce no database errors.

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in web server logs
  • Multiple requests to /eris/admin/company/index.php with suspicious 'id' parameters

Network Indicators:

  • HTTP requests containing SQL keywords (UNION, SELECT, etc.) in URL parameters

SIEM Query:

source="web_logs" AND uri_path="/eris/admin/company/index.php" AND (query_string="*id=*'*" OR query_string="*id=*%27*")

📊 Metadata

CVE ID: CVE-2022-32007
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 2, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32007, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)