Cyber Resilience

CVE-2022-40347

CriticalPublic PoC

Published: 17 February 2023

Published
17 February 2023
Modified
18 March 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0582 90.7th percentile
Risk Priority 23 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-40347 is a critical-severity SQL Injection (CWE-89) vulnerability in Intern Record System Project Intern Record System. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 9.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability CVE-2022-40347 is a SQL injection issue in Intern Record System version 1.0, located in the /intern/controller.php file and triggered through the phone, email, deptType, and name parameters. It is tracked under CWE-89 and rated 9.8 on CVSS 3.1, reflecting unauthenticated network access with high impact on confidentiality, integrity, and availability.

An unauthenticated remote attacker can supply crafted input to the affected parameters to manipulate SQL queries, enabling arbitrary code execution and extraction of sensitive data from the underlying database.

Public references consist primarily of exploit demonstrations and the original project source code hosted on PacketStorm Security and GitHub, with no vendor advisories or patch information provided. The associated EPSS score has stayed low and essentially flat, moving only from a peak of 0.0586 to a current value of 0.0582.

EU & UK References

Vulnerability details

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

intern record system project
intern record system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References