CVE-2022-43262 The Human Resource Management System v1.0 had a SQL injection vulnerability in the password parameter.

An attacker can exploit this to elevate privileges and get administrative access to the application. In addition, the application incorrectly sanitizes user input, leading to cross-site scripting (XSS) vulnerabilities. An attacker can leverage these to run arbitrary code on the application’s behalf.

The application also suffers from an information disclosure issue, which is due to the lack of input validation on various parameters. An attacker can exploit this to uncover sensitive information about the application’s users.

Finally, the application allows users to change each other’s passwords. Therefore, an attacker can leverage this vulnerability to reset administrative passwords.

Vulnerable to CVE-2022-43261

This vulnerability is not exploitable because the application cannot be modified.

The application suffers from two vulnerabilities: CVE-2022-43261 and CVE-2022-43262.
CVE-2022-43261 allows an attacker to exploit the application to gain access to sensitive information about other users, while CVE-2022-43262 allows an attacker to exploit the application by compromising the integrity of certain files.

CVE-2022-43261 is not exploitable because the application cannot be modified, while CVE-2022-43262 can be exploited by an attacker with administrative privileges.

Vulnerability overview

1) Elevation of privileges - An attacker can exploit this vulnerability to gain the same level of access and privileges as the application.
2) Cross-site scripting vulnerabilities - An attacker can leverage these vulnerabilities to run arbitrary code on the application’s behalf.
3) Insecure data storage - The application stores sensitive information, like passwords, in an insecure manner. An attacker can leverage this vulnerability to uncover sensitive information about the application’s users.
4) Password change vulnerability - An attacker can leverage this vulnerability to reset administrative passwords.
5) Sensitive data disclosure issue - The application lacks input validation on a number of parameters that result in information disclosure issues.

Timeline

Published on: 11/16/2022 15:15:00 UTC
Last modified on: 11/16/2022 19:40:00 UTC

References

• https://github.com/null302/bug_report/blob/main/vendors/oretnom23/Human%20Resource%20Management%20System/SQLi-1.md
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-43262