CVE-2022-29006
Published: 11 May 2022
Summary
CVE-2022-29006 is a critical-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Directory Management System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-29006 is a set of SQL injection flaws (CWE-89) affecting the username and password parameters in the administrative login panel of Directory Management System version 1.0. The vulnerability received a CVSS 3.1 base score of 9.8, reflecting network-accessible attack vectors that require no authentication or user interaction and can result in full confidentiality, integrity, and availability impact.
An unauthenticated remote attacker can supply crafted input to the affected parameters and bypass authentication entirely, obtaining administrative access to the application and any data or functionality it exposes. Public proof-of-concept code demonstrating the bypass has been published on Exploit-DB and GitHub.
The EPSS score for this CVE stands at 0.8742, indicating substantial real-world exploitation interest. No vendor advisory or patch information appears among the referenced sources.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33436
Vulnerability details
Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Directory Management System v1.0 allows attackers to bypass authentication.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.