CVE-2022-3471

A vulnerability was found in SourceCodester Human Resource Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file city.php. The manipulation of the argument searccity leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-210715.

CVSS v3 4.9 MEDIUM

4.9^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/Hanfu-l/POC-Exp/blob/main/The%20Human%20Resource%20Management%20System%20searccity%20parameter%20is%20injected.pdf	Exploit Third Party Advisory
https://vuldb.com/?id.210715	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:oretnom23:human_resource_management_system:-:*:*:*:*:*:*:*

History

28 Dec 2023, 19:04

Type	Values Removed	Values Added
First Time		Oretnom23 human Resource Management System Oretnom23
CWE	~~CWE-707~~	CWE-89
CPE	cpe:2.3:a:human_resource_management_system_project:human_resource_management_system:-:::::::*	cpe:2.3:a:oretnom23:human_resource_management_system:-:::::::*

07 Nov 2023, 03:51

Type	Values Removed	Values Added
CWE	CWE-89 CWE-74

Information

Published : 2022-10-13 04:15

Updated : 2024-02-28 19:29

NVD link : CVE-2022-3471

Mitre link : CVE-2022-3471

CVE.ORG link : CVE-2022-3471

JSON object : View

Products Affected

oretnom23

human_resource_management_system

CWE

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-707

Improper Neutralization

{"id": "CVE-2022-3471", "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.9, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.2}, {"type": "Secondary", "source": "cna@vuldb.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 3.4, "exploitabilityScore": 2.8}]}, "published": "2022-10-13T04:15:10.763", "references": [{"url": "https://github.com/Hanfu-l/POC-Exp/blob/main/The%20Human%20Resource%20Management%20System%20searccity%20parameter%20is%20injected.pdf", "tags": ["Exploit", "Third Party Advisory"], "source": "cna@vuldb.com"}, {"url": "https://vuldb.com/?id.210715", "tags": ["Third Party Advisory"], "source": "cna@vuldb.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-89"}]}, {"type": "Secondary", "source": "cna@vuldb.com", "description": [{"lang": "en", "value": "CWE-707"}]}], "descriptions": [{"lang": "en", "value": "A vulnerability was found in SourceCodester Human Resource Management System. It has been declared as critical. Affected by this vulnerability is an unknown functionality of the file city.php. The manipulation of the argument searccity leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-210715."}, {"lang": "es", "value": "Se ha encontrado una vulnerabilidad en SourceCodester Human Resource Management System. Ha sido declarada como cr\u00edtica. Esta vulnerabilidad afecta a una funcionalidad desconocida del archivo city.php. La manipulaci\u00f3n del argumento searccity conlleva a una inyecci\u00f3n sql. El ataque puede ser lanzado de forma remota. La explotaci\u00f3n ha sido divulgada al p\u00fablico y puede ser usada. El identificador asociado a esta vulnerabilidad es VDB-210715"}], "lastModified": "2023-12-28T19:04:59.790", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:oretnom23:human_resource_management_system:-:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "81ABE38B-3546-42D5-AE86-792E08CD3472"}], "operator": "OR"}]}], "sourceIdentifier": "cna@vuldb.com"}