CVE-2022-40347 : SQL Injection vulnerability in Intern Record System version 1.0 in /intern/contr

SQL Injection vulnerability in Intern Record System version 1.0 in /intern/controller.php in 'phone', 'email', 'deptType' and 'name' parameters, allows attackers to execute arbitrary code and gain sensitive information.

Published 2023-02-17 13:15:11

Updated 2025-03-18 16:15:13

Source MITRE

View at NVD, CVE.org

Vulnerability category: Sql InjectionExecute code

Products affected by CVE-2022-40347

Intern Record System Project » Intern Record System » Version: 1.0
cpe:2.3:a:intern_record_system_project:intern_record_system:1.0:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2022-40347

EPSS FAQ

1.97%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 82 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2022-40347

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	134c704f-9b21-4f2e-91b3-4a467353bcc0	2025-03-18
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High
9.8	CRITICAL	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H	3.9	5.9	NIST
Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality: High Integrity: High Availability: High

CWE ids for CVE-2022-40347

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Assigned by:
- 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)
- nvd@nist.gov (Primary)

References for CVE-2022-40347

https://download-media.code-projects.org/2020/03/Intern_Record_System_In_PHP_With_Source_Code.zip

Product

CVEs referencing this url
https://github.com/h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated

GitHub - h4md153v63n/CVE-2022-40347_Intern-Record-System-phone-V1.0-SQL-Injection-Vulnerability-Unauthenticated: CVE-2022-40347: Intern Record System - 'phone', 'email', 'deptType' and 'name' SQL Inje
Exploit;Third Party Advisory
http://packetstormsecurity.com/files/171740/Intern-Record-System-1.0-SQL-Injection.html

Intern Record System 1.0 SQL Injection ≈ Packet Storm
https://code-projects.org/intern-record-system-in-php-with-source-code/

Intern Record System In PHP With Source Code - Source Code & Projects
Product

CVEs referencing this url

Jump to

Vulnerability Details : CVE-2022-40347

Products affected by CVE-2022-40347

Exploit prediction scoring system (EPSS) score for CVE-2022-40347

CVSS scores for CVE-2022-40347

CWE ids for CVE-2022-40347

References for CVE-2022-40347