CVE-2022-28080
Published: 05 May 2022
Summary
CVE-2022-28080 is a high-severity SQL Injection (CWE-89) vulnerability in Event Management System Project Event Management System. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 2.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Royal Event Management System v1.0 contains a SQL injection vulnerability tracked as CVE-2022-28080 and assigned CWE-89. The flaw resides in the todate parameter and carries a CVSS 3.1 score of 8.8, reflecting network attack vector, low complexity, and low-privileged authenticated access that can fully compromise confidentiality, integrity, and availability.
An authenticated attacker with network access can supply crafted input to the affected parameter and execute arbitrary SQL queries against the underlying database. Successful exploitation grants the ability to read, modify, or delete data and potentially escalate to administrative control of the event-management application.
The EPSS score for this CVE rose from a low baseline to a peak of 0.8501 on 2025-01-22 before receding to the current value of 0.4476, indicating that exploitation interest increased well after the original 2022 disclosure. Public references consist of proof-of-concept code and the original application source archive but contain no vendor advisory or patch information.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-32565
Vulnerability details
Royal Event Management System v1.0 was discovered to contain a SQL injection vulnerability via the todate parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.