CVE-2022-4375

Summary

A vulnerability was found in Mingsoft MCMS up to 5.2.9. It has been classified as critical. Affected is an unknown function of the file /cms/category/list. The manipulation of the argument sqlWhere leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 5.2.10 is able to address this issue. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-215196.

Affected Software

VendorProductVersion RangeStatus
MingsoftMCMS5.2.0affected
MingsoftMCMS5.2.1affected
MingsoftMCMS5.2.2affected
MingsoftMCMS5.2.3affected
MingsoftMCMS5.2.4affected
MingsoftMCMS5.2.5affected
MingsoftMCMS5.2.6affected
MingsoftMCMS5.2.7affected
MingsoftMCMS5.2.8affected
MingsoftMCMS5.2.9affected

Weaknesses

  • CWE-707: CWE-707 Improper Neutralization -> CWE-74 Injection -> CWE-89 SQL Injection

ADP Enrichment

CVE Program Container

Additional References

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: partial

References