cbcvebase.
CVE-2022-38637
published 2022-09-13

CVE-2022-38637: Hospital Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities via the Username and Password parameters on the Login page.

PriorityP263critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
4.55%
90.4th percentile
Hospital Management System v1.0 was discovered to contain multiple SQL injection vulnerabilities via the Username and Password parameters on the Login page.

Affected

1 ranges
VendorProductVersion rangeFixed in
hospital_management_system_projecthospital_management_system

Detection & IOCsextracted from sources · hover to see the quote

path/hms/user-login.php
path/HMS/user-login.php
commandusername=admin%27+or+%271%27%3D%271%27%23&password=admin%27+or+%271%27%3D%271%27%23&submit=
  • Detect exploitation attempts by monitoring POST requests to /hms/user-login.php or /HMS/user-login.php containing SQL injection payloads in the username and/or password parameters (e.g., URL-encoded single quotes and OR-based tautologies).
  • Successful exploitation results in a 200 HTTP response with body containing both 'User | Dashboard' and 'Book My Appointment', indicating authentication bypass via SQL injection.
  • Use Shodan or FOFA queries to identify exposed Hospital Management System instances as potential targets: search for http.html:'Hospital Management System' or body='hospital management system'.
  • ·The Nuclei template uses host-redirects with up to 2 redirects, meaning the actual vulnerable endpoint may redirect before the login page is served; detection logic must account for redirect chains.
  • ·The vulnerable parameter is identified as both 'Username and Password parameters on the Login page' (NVD) and 'editid parameter' (exploit description), indicating the attack surface may span multiple parameters.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.