Cyber Resilience

CVE-2022-29009

CriticalPublic PoC

Published: 11 May 2022

Published
11 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.8595 99.4th percentile
Risk Priority 71 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29009 is a critical-severity SQL Injection (CWE-89) vulnerability in Phpgurukul Cyber Cafe Management System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 0.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-29009 is a SQL injection vulnerability, tracked under CWE-89, that affects the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0. The flaw carries a CVSS 3.1 score of 9.8 and permits attackers to bypass authentication controls entirely.

Unauthenticated remote attackers can supply crafted input to the affected parameters over the network to execute arbitrary SQL commands, resulting in full compromise of confidentiality, integrity, and availability of the application and its underlying database.

Public references consist of proof-of-concept code and an Exploit-DB entry demonstrating the authentication bypass; no vendor advisories or patch information are included in the supplied references. The associated EPSS score currently stands at 0.8595 with a recorded peak of 0.8774.

EU & UK References

Vulnerability details

Multiple SQL injection vulnerabilities via the username and password parameters in the Admin panel of Cyber Cafe Management System Project v1.0 allows attackers to bypass authentication.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpgurukul
cyber cafe management system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References