Cyber Resilience

CVE-2022-28032

CriticalPublic PoC

Published: 12 April 2022

Published
12 April 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4929 97.8th percentile
Risk Priority 49 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-28032 is a critical-severity SQL Injection (CWE-89) vulnerability in Thedigitalcraft Atomcms. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

AtomCMS 2.0 is affected by a SQL injection vulnerability in the Atom.CMS_admin_ajax_pages.php component. The issue is classified under CWE-89 and received a CVSS 3.1 score of 9.8, driven by network attack vector, low attack complexity, and no requirements for authentication or user interaction.

An unauthenticated remote attacker can supply crafted input to the vulnerable endpoint and execute arbitrary SQL statements against the backend database. This grants full read, write, and delete access to database contents, along with the ability to potentially escalate to broader system compromise.

The EPSS score for the CVE is 0.4929 at both current and peak values. The two GitHub issues linked in public references contain the initial discovery report but do not detail patches or mitigation steps.

EU & UK References

Vulnerability details

AtomCMS 2.0 is vulnerable to SQL Injection via Atom.CMS_admin_ajax_pages.php

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

thedigitalcraft
atomcms
2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References