CVE-2022-28032
Published: 12 April 2022
Summary
CVE-2022-28032 is a critical-severity SQL Injection (CWE-89) vulnerability in Thedigitalcraft Atomcms. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
AtomCMS 2.0 is affected by a SQL injection vulnerability in the Atom.CMS_admin_ajax_pages.php component. The issue is classified under CWE-89 and received a CVSS 3.1 score of 9.8, driven by network attack vector, low attack complexity, and no requirements for authentication or user interaction.
An unauthenticated remote attacker can supply crafted input to the vulnerable endpoint and execute arbitrary SQL statements against the backend database. This grants full read, write, and delete access to database contents, along with the ability to potentially escalate to broader system compromise.
The EPSS score for the CVE is 0.4929 at both current and peak values. The two GitHub issues linked in public references contain the initial discovery report but do not detail patches or mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32518
Vulnerability details
AtomCMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_ajax_pages.php
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.