CVE-2022-28023
Published: 21 April 2022
Summary
CVE-2022-28023 is a critical-severity SQL Injection (CWE-89) vulnerability in Purchase Order Management System Project Purchase Order Management System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Purchase Order Management System version 1.0 contains a SQL injection vulnerability in the endpoint /purchase_order/classes/Master.php?f=delete_supplier. The flaw is tracked as CVE-2022-28023, carries a CVSS 3.1 score of 9.8, and is classified under CWE-89.
An unauthenticated attacker with network access can supply crafted input to the affected parameter and execute arbitrary SQL commands. Successful exploitation grants full read, write, and delete access to the underlying database, enabling data exfiltration, modification, or complete system compromise without requiring credentials or user interaction.
The EPSS score for this CVE has remained flat at 0.1104 since disclosure, indicating no material increase in observed exploitation interest. Public references consist solely of a technical bug report demonstrating the injection vector; no vendor advisory or patch information is available in the supplied sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32509
Vulnerability details
Purchase Order Management System v1.0 was discovered to contain a SQL injection vulnerability via /purchase_order/classes/Master.php?f=delete_supplier.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.