Login Sign Up

CVE-2022-32341

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Hospital's Patient Records Management System v1.0 allows attackers to execute arbitrary SQL commands via the 'id' parameter in the user management page. This could lead to unauthorized access, data theft, or system compromise. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Hospital's Patient Records Management System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web interface at /hprms/admin/?page=user/manage_user&id= parameter

📦 What is this software?

Hospital\'s Patient Records Management System by Hospital\'s Patient Records Management System Project

View all CVEs affecting Hospital\'s Patient Records Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including patient medical records, personal information, and administrative credentials leading to data breach, system takeover, and potential ransomware deployment.

🟠

Likely Case

Unauthorized access to patient records, extraction of sensitive medical data, and potential privilege escalation to administrative accounts.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires admin access but SQL injection is straightforward once authenticated

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Implement workarounds and consider migrating to supported software.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to sanitize the 'id' parameter to accept only numeric values

Implement parameterized queries or prepared statements in the PHP code

Web Application Firewall Rule

all

Block SQL injection patterns in the 'id' parameter

Add WAF rule: deny requests with SQL keywords in id parameter

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement network segmentation and monitor for SQL injection attempts

🔍 How to Verify

Check if Vulnerable:

Test the /hprms/admin/?page=user/manage_user&id= parameter with SQL injection payloads like ' OR '1'='1

Check Version:

Check system version in admin panel or configuration files

Verify Fix Applied:

Test with SQL injection payloads and verify they are rejected or sanitized

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL errors in application logs
  • Multiple failed login attempts followed by SQL injection patterns

Network Indicators:

  • HTTP requests with SQL keywords in id parameter
  • Unusual database query patterns

SIEM Query:

web.url:*manage_user* AND (web.param.id:*OR* OR web.param.id:*UNION* OR web.param.id:*SELECT*)

📊 Metadata

CVE ID: CVE-2022-32341
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32341, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)