CVE-2022-32014 – Complete Online Job Search System v1.0 contains... (How to Fix)

Q: What is the severity of CVE-2022-32014?

CVE-2022-32014 has a CVSS score of 7.2 (HIGH). Complete Online Job Search System v1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database content.

📋 TL;DR

Complete Online Job Search System v1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to execute arbitrary SQL commands. This affects all deployments of this specific software version. Attackers can potentially access, modify, or delete database content.

💻 Affected Systems

Products:

Complete Online Job Search System

Versions: v1.0

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the specific PHP-based web application; no specific OS dependencies.

📦 What is this software?

Complete Online Job Search System by Complete Online Job Search System Project

View all CVEs affecting Complete Online Job Search System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full database compromise including credential theft, data exfiltration, and complete system takeover via privilege escalation.

🟠

Likely Case

Unauthorized data access, extraction of sensitive information like user credentials, and potential data manipulation.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only read-only access to non-sensitive data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public proof-of-concept available; exploitation requires minimal technical skill.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider implementing input validation and parameterized queries manually.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy a WAF with SQL injection rules to block malicious requests.

Input Validation Filter

linux

Add server-side input validation to reject suspicious characters in the search parameter.

Example PHP: if(preg_match('/[\'"\;\-]/', $_GET['searchfor'])) { die('Invalid input'); }

🧯 If You Can't Patch

Isolate the system from the internet and restrict access to trusted networks only.
Implement strict database user permissions with least privilege principles.

🔍 How to Verify

Check if Vulnerable:

Test the endpoint /eris/index.php?q=result&searchfor=byfunction with SQL injection payloads like ' OR '1'='1.

Check Version:

Check the software version in the application's admin panel or configuration files.

Verify Fix Applied:

Verify that SQL injection payloads no longer return unexpected data or errors.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL syntax in HTTP GET parameters
Multiple failed login attempts following suspicious queries

Network Indicators:

HTTP requests with SQL keywords in URL parameters
Unusual database query patterns from web server

SIEM Query:

source="web_server" AND (url="*q=result*" AND url="*searchfor=*' OR*")

📊 Metadata

CVE ID: CVE-2022-32014

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 2, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-9.md Exploit,Third Party Advisory
https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-9.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32014, you might also want to check these: