CVE-2023-29622
Published: 14 April 2023
Summary
CVE-2023-29622 is a critical-severity SQL Injection (CWE-89) vulnerability in Purchase Order Management Project Purchase Order Management. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Purchase Order Management v1.0 contains a SQL injection vulnerability in the password parameter of the /purchase_order/admin/login.php endpoint. The flaw is tracked as CVE-2023-29622 with a CVSS 3.1 score of 9.8 and is classified under CWE-89. It allows unauthenticated network attackers to submit crafted input that alters the underlying database query executed during login.
An attacker with no credentials can send malicious SQL through the password field to extract, modify, or delete data and potentially execute operating-system commands, resulting in full confidentiality, integrity, and availability impact on the affected application and its database.
The EPSS score for this CVE reached a peak of 0.2036 after disclosure before settling at the current value of 0.1235, indicating a clear rise in exploitation interest following public release. Public references consist primarily of proof-of-concept repositories demonstrating the injection and general SQL-injection guidance, with no vendor patch or official mitigation details provided.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33163
Vulnerability details
Purchase Order Management v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /purchase_order/admin/login.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.