Cyber Resilience

CVE-2022-4228

MediumPublic PoC

Published: 30 November 2022

Published
30 November 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.0043 63.1th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-4228 is a medium-severity Exposure of Sensitive Information to an Unauthorized Actor (CWE-200) vulnerability in Book Store Management System Project Book Store Management System. Its CVSS base score is 5.3 (Medium).

Operationally, ranked in the top 36.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

A vulnerability classified as problematic has been found in SourceCodester Book Store Management System 1.0. It affects an unknown part of the file /bsms_ci/index.php/user/edit_user/ where manipulation of the password argument leads to information disclosure. The issue is remotely exploitable without authentication and stems from exposure of sensitive data combined with missing access controls.

An unauthenticated remote attacker can supply crafted input to the affected endpoint and retrieve password-related information. Public exploit code for this vector has been disclosed, enabling straightforward reproduction against unpatched instances.

The EPSS score started low after the 2022 disclosure but rose materially to a peak of 0.1460 on 2025-01-22 before receding to the current value of 0.0043, indicating that exploitation interest emerged well after publication and that the CVE merits renewed attention.

EU & UK References

Vulnerability details

A vulnerability classified as problematic has been found in SourceCodester Book Store Management System 1.0. This affects an unknown part of the file /bsms_ci/index.php/user/edit_user/. The manipulation of the argument password leads to information disclosure. It is possible to initiate the…

more

attack remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-214587.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

book store management system project
book store management system
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-200 CWE-306

Session auditing enables detection of unauthorized exposure or access to sensitive information during user activities.

addresses: CWE-200 CWE-306

Privacy and security architectures require controls to protect sensitive information from unauthorized exposure across the system lifecycle.

addresses: CWE-200 CWE-306

Inventory identifies all systems holding or processing data, enabling detection of unauthorized exposure paths before exploitation.

addresses: CWE-306 CWE-200

Protection planning for critical infrastructure directly calls for authentication of access to essential functions before any operation is permitted.

addresses: CWE-306 CWE-200

Risk assessments evaluate exposure of critical functions lacking authentication and prioritize corrective controls.

addresses: CWE-306 CWE-200

Requires authentication gates on critical functions that must remain unavailable to anonymous public users.

addresses: CWE-306 CWE-200

Treats remote activation of surveillance-capable devices as a critical function that must be disabled or authenticated.

addresses: CWE-200 CWE-306

Decoys supply misleading data and log access attempts, directly detecting and deflecting unauthorized information exposure.

References