Cyber Resilience

CVE-2023-29622

CriticalPublic PoC

Published: 14 April 2023

Published
14 April 2023
Modified
07 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1235 94.0th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-29622 is a critical-severity SQL Injection (CWE-89) vulnerability in Purchase Order Management Project Purchase Order Management. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 6.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

Purchase Order Management v1.0 contains a SQL injection vulnerability in the password parameter of the /purchase_order/admin/login.php endpoint. The flaw is tracked as CVE-2023-29622 with a CVSS 3.1 score of 9.8 and is classified under CWE-89. It allows unauthenticated network attackers to submit crafted input that alters the underlying database query executed during login.

An attacker with no credentials can send malicious SQL through the password field to extract, modify, or delete data and potentially execute operating-system commands, resulting in full confidentiality, integrity, and availability impact on the affected application and its database.

The EPSS score for this CVE reached a peak of 0.2036 after disclosure before settling at the current value of 0.1235, indicating a clear rise in exploitation interest following public release. Public references consist primarily of proof-of-concept repositories demonstrating the injection and general SQL-injection guidance, with no vendor patch or official mitigation details provided.

EU & UK References

Vulnerability details

Purchase Order Management v1.0 was discovered to contain a SQL injection vulnerability via the password parameter at /purchase_order/admin/login.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

purchase order management project
purchase order management
1.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-89

Penetration testing uses SQL injection payloads against database interfaces, identifying and supporting fixes for SQL injection weaknesses.

addresses: CWE-89

Validates query inputs to prevent SQL syntax or command manipulation.

References