Login Sign Up

CVE-2022-32339

7.2 HIGH
SQL Injection

📋 TL;DR

Hospital's Patient Records Management System v1.0 contains a SQL injection vulnerability in the doctor viewing functionality that allows attackers to execute arbitrary SQL commands. This affects all systems running the vulnerable version, potentially exposing sensitive patient data and system controls.

💻 Affected Systems

Products:
  • Hospital's Patient Records Management System
Versions: v1.0
Operating Systems: Any OS running PHP web server
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the default installation with no specific configuration required for exploitation.

📦 What is this software?

Hospital\'s Patient Records Management System by Hospital\'s Patient Records Management System Project

View all CVEs affecting Hospital\'s Patient Records Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including patient medical records, personal information, authentication credentials, and potential system takeover.

🟠

Likely Case

Unauthorized access to patient records, doctor information, and potentially administrative credentials.

🟢

If Mitigated

Limited impact with proper input validation and database permissions restricting damage to non-sensitive data.

🌐 Internet-Facing: HIGH - The vulnerable endpoint is accessible via web interface and SQL injection is easily automated.
🏢 Internal Only: MEDIUM - Internal attackers could still exploit but require network access to the system.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin authentication but SQL injection payloads are well-documented and easily automated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Implement workarounds or consider alternative software.

🔧 Temporary Workarounds

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns targeting the vulnerable endpoint

Input Validation Filter

linux

Add input validation to sanitize the 'id' parameter before processing

Example PHP: $id = filter_var($_GET['id'], FILTER_VALIDATE_INT); if($id === false) { die('Invalid input'); }

🧯 If You Can't Patch

  • Restrict access to /hprms/admin/ directory using network ACLs or authentication requirements
  • Implement database user with minimal permissions (read-only for doctor viewing functions)

🔍 How to Verify

Check if Vulnerable:

Test the endpoint with SQL injection payloads: /hprms/admin/doctors/view_doctor.php?id=1' OR '1'='1

Check Version:

Check system documentation or about page for version information

Verify Fix Applied:

Test with same payloads and verify proper error handling or rejection

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed parameter validation attempts
  • Admin panel access from unusual IPs

Network Indicators:

  • HTTP requests with SQL keywords in URL parameters
  • Unusual database query patterns from web server

SIEM Query:

web.url:*view_doctor.php* AND (web.param:*OR* OR web.param:*UNION* OR web.param:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-32339
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32339, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)