Login Sign Up

CVE-2022-32343

7.2 HIGH
SQL Injection

📋 TL;DR

This SQL injection vulnerability in Hospital's Patient Records Management System v1.0 allows attackers to execute arbitrary SQL commands via the 'id' parameter in the room_types management page. Attackers could potentially access, modify, or delete sensitive patient records. All users running the vulnerable version are affected.

💻 Affected Systems

Products:
  • Hospital's Patient Records Management System
Versions: v1.0
Operating Systems: Any
Default Config Vulnerable: ⚠️ Yes
Notes: Requires admin panel access (hprms/admin/) but SQL injection can bypass authentication if combined with other vulnerabilities.

📦 What is this software?

Hospital\'s Patient Records Management System by Hospital\'s Patient Records Management System Project

View all CVEs affecting Hospital\'s Patient Records Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of patient database including theft of all medical records, deletion of critical patient data, or installation of backdoors for persistent access.

🟠

Likely Case

Unauthorized access to patient records, potential data exfiltration, and manipulation of room type data affecting hospital operations.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data viewing without modification.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploit requires admin panel access, but SQL injection payloads are well-documented and easy to weaponize.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None found

Restart Required: No

Instructions:

No official patch available. Implement workarounds immediately.

🔧 Temporary Workarounds

Input Validation and Parameterized Queries

all

Modify manage_room_type.php to use prepared statements and validate the 'id' parameter

Replace direct SQL queries with PDO or mysqli prepared statements in the PHP code

Web Application Firewall (WAF)

all

Deploy WAF rules to block SQL injection patterns

Add WAF rule: SecRule ARGS:id "@detectSQLi" "id:1001,phase:2,deny,status:403"

🧯 If You Can't Patch

  • Isolate the system behind a firewall with strict access controls
  • Implement database-level protections: restrict application database user permissions to minimum required

🔍 How to Verify

Check if Vulnerable:

Test the URL hprms/admin/room_types/manage_room_type.php?id=1' with SQL injection payloads like ' OR '1'='1

Check Version:

Check system version in admin panel or configuration files

Verify Fix Applied:

Test with same payloads after implementing fixes - should return error pages or no data leakage

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL error messages in web server logs
  • Multiple failed login attempts followed by SQL injection patterns
  • Requests with SQL keywords in 'id' parameter

Network Indicators:

  • Unusual database query patterns from web server
  • Large data transfers from database to external IPs

SIEM Query:

source="web_logs" AND ("SQL syntax" OR "mysql_fetch" OR "You have an error in your SQL syntax")

📊 Metadata

CVE ID: CVE-2022-32343
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: June 14, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-32343, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)