CVE-2022-40347
Published: 17 February 2023
Summary
CVE-2022-40347 is a critical-severity SQL Injection (CWE-89) vulnerability in Intern Record System Project Intern Record System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability CVE-2022-40347 is a SQL injection issue in Intern Record System version 1.0, located in the /intern/controller.php file and triggered through the phone, email, deptType, and name parameters. It is tracked under CWE-89 and rated 9.8 on CVSS 3.1, reflecting unauthenticated network access with high impact on confidentiality, integrity, and availability.
An unauthenticated remote attacker can supply crafted input to the affected parameters to manipulate SQL queries, enabling arbitrary code execution and extraction of sensitive data from the underlying database.
Public references consist primarily of exploit demonstrations and the original project source code hosted on PacketStorm Security and GitHub, with no vendor advisories or patch information provided. The associated EPSS score has stayed low and essentially flat, moving only from a peak of 0.0586 to a current value of 0.0582.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-43638
Vulnerability details
SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.