Login Sign Up

CVE-2022-32331

7.2 HIGH
SQL Injection

📋 TL;DR

Fast Food Ordering System v1.0 contains a SQL injection vulnerability in the admin categories view page. Attackers can manipulate the 'id' parameter to execute arbitrary SQL commands, potentially compromising the database. This affects all deployments of the vulnerable software version.

💻 Affected Systems

Products:
  • Fast Food Ordering System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access, but SQL injection can bypass authentication if chained with other vulnerabilities.

📦 What is this software?

Fast Food Ordering System by Fast Food Ordering System Project

View all CVEs affecting Fast Food Ordering System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including data theft, data manipulation, authentication bypass, and potential server takeover via SQL injection to RCE chaining.

🟠

Likely Case

Unauthorized data access, modification of food categories/pricing, and potential admin account compromise.

🟢

If Mitigated

Limited impact with proper input validation and WAF rules blocking malicious SQL patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin panel access, but SQL injection payloads are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

1. Download latest version if available from vendor. 2. Replace vulnerable files. 3. Test functionality. Since no official patch exists, implement workarounds or migrate to secure alternative.

🔧 Temporary Workarounds

Input Validation Filter

all

Add parameter validation to view_category.php to accept only numeric IDs

Edit /ffos/admin/categories/view_category.php and add: if(!is_numeric($_GET['id'])) { die('Invalid parameter'); }

WAF Rule Implementation

linux

Deploy web application firewall rules to block SQL injection patterns

For ModSecurity: SecRule ARGS_GET:id "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Isolate the admin panel behind VPN or internal network only
  • Implement strict network segmentation and database access controls

🔍 How to Verify

Check if Vulnerable:

Test with payload: /ffos/admin/categories/view_category.php?id=1' OR '1'='1

Check Version:

Check software version in admin panel or readme files

Verify Fix Applied:

Test with same payload - should return error or no data instead of executing SQL

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in web logs
  • Multiple failed login attempts followed by SQL payloads
  • Requests with SQL keywords in id parameter

Network Indicators:

  • HTTP requests containing UNION, SELECT, OR 1=1 in query parameters
  • Abnormal database query patterns from web server

SIEM Query:

source="web_logs" AND (url="*view_category.php*" AND (query="*UNION*" OR query="*SELECT*" OR query="*OR 1=1*"))

📊 Metadata

CVE ID: CVE-2022-32331
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32331, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)