Cyber Resilience

CVE-2022-40032

CriticalPublic PoC

Published: 17 February 2023

Published
17 February 2023
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.6402 98.5th percentile
Risk Priority 58 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40032 is a critical-severity SQL Injection (CWE-89) vulnerability in Simple Task Managing System Project Simple Task Managing System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 1.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-40032 is a SQL injection vulnerability affecting the Simple Task Managing System version 1.0, specifically in the login.php file where the username and password parameters are processed without adequate sanitization. The flaw is tracked under CWE-89 and carries a CVSS 3.1 base score of 9.8, reflecting network-accessible, low-complexity attack conditions with no required authentication or user interaction.

Unauthenticated remote attackers can supply crafted input to the affected parameters and execute arbitrary SQL commands, enabling them to extract sensitive data, bypass authentication, or run additional code on the underlying database server.

Public references consist primarily of exploit code and the original vulnerable source archive rather than vendor advisories; no official patch or mitigation guidance is documented in the provided materials. The associated EPSS score reached a peak of 0.7898 after disclosure before settling at 0.6402, indicating sustained post-publication exploitation interest.

EU & UK References

Vulnerability details

SQL Injection vulnerability in Simple Task Managing System version 1.0 in login.php in 'username' and 'password' parameters, allows attackers to execute arbitrary code and gain sensitive information.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

simple task managing system project
simple task managing system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References