CVE-2022-34024 – Barangay Management System v1.0 contains an arb... (How to Fix)

Q: What is the severity of CVE-2022-34024?

CVE-2022-34024 has a CVSS score of 7.2 (HIGH). Barangay Management System v1.0 contains an arbitrary file upload vulnerability in the resident module editing function. Attackers can upload malicious files to execute arbitrary code on the server. This affects all deployments of Barangay Management System v1.0.

📋 TL;DR

Barangay Management System v1.0 contains an arbitrary file upload vulnerability in the resident module editing function. Attackers can upload malicious files to execute arbitrary code on the server. This affects all deployments of Barangay Management System v1.0.

💻 Affected Systems

Products:

Barangay Management System

Versions: v1.0

Operating Systems: Any

Default Config Vulnerable: ⚠️ Yes

Notes: Affects the resident.php module at /bmis/pages/resident/resident.php

📦 What is this software?

Barangay Management System by Barangay Management System Project

View all CVEs affecting Barangay Management System →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise via remote code execution, allowing attackers to install malware, steal data, or pivot to other systems.

🟠

Likely Case

Webshell deployment leading to data theft, defacement, or use as a foothold for further attacks.

🟢

If Mitigated

Limited impact with proper file upload restrictions and server hardening.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authentication to access the resident module editing function

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider workarounds or migrating to alternative software.

🔧 Temporary Workarounds

File Upload Restriction

all

Implement server-side validation to restrict uploaded file types to safe extensions only

Web Application Firewall

all

Deploy WAF rules to block malicious file upload attempts

🧯 If You Can't Patch

Disable the resident module editing function if not required
Implement strict file upload validation and store uploaded files outside web root

🔍 How to Verify

Check if Vulnerable:

Check if /bmis/pages/resident/resident.php exists and allows file uploads without proper validation

Check Version:

Check software version in admin panel or configuration files

Verify Fix Applied:

Test if malicious file uploads (e.g., .php files) are blocked by the system

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to /bmis/pages/resident/resident.php
Execution of unexpected PHP files

Network Indicators:

POST requests to resident.php with file uploads
Traffic to unexpected web shells

SIEM Query:

source="web_server" AND (uri="/bmis/pages/resident/resident.php" AND method="POST" AND file_upload="*")

📊 Metadata

CVE ID: CVE-2022-34024

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: July 19, 2022

Last Updated: November 21, 2024

🔗 References

https://github.com/sorabug/bug_report/blob/main/vendors/itsourcecode.com/barangay-management-system/RCE-1.md Exploit,Third Party Advisory
https://github.com/sorabug/bug_report/blob/main/vendors/itsourcecode.com/barangay-management-system/RCE-1.md Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-34024, you might also want to check these: