CVE-2022-46887
Published: 19 January 2023
Summary
CVE-2022-46887 is a critical-severity SQL Injection (CWE-89) vulnerability in Nexusphp Nexusphp. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 13.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
NexusPHP versions prior to 1.7.33 contain multiple SQL injection flaws that permit remote attackers to execute arbitrary SQL commands. The issues reside in the conuser[] parameter of takeconfirm.php, the delcheater parameter of cheaterbox.php, and the usernw parameter of nowarn.php, and are tracked under CWE-89 with a CVSS 3.1 score of 9.8.
Unauthenticated attackers reachable over the network can supply crafted input to these parameters and achieve full read, write, and delete access to the underlying database, resulting in potential compromise of user data, administrative functions, and application integrity.
The official fix is included in the NexusPHP v1.7.33 release, while a SureCloud security review independently identified the same authenticated and unauthenticated injection vectors. The associated EPSS score rose from a low baseline to a peak of 0.2594 before receding to its current value of 0.0278, indicating a period of increased exploitation interest after public disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-49667
Vulnerability details
Multiple SQL injection vulnerabilities in NexusPHP before 1.7.33 allow remote attackers to execute arbitrary SQL commands via the conuser[] parameter in takeconfirm.php; the delcheater parameter in cheaterbox.php; or the usernw parameter in nowarn.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.