CVE-2022-31978 Scanner

The Online Fire Reporting System version 1.0 serves as a digital platform for reporting fire incidents, primarily used by fire departments and emergency services. It facilitates the efficient management of fire incident reports, enabling users to submit, track, and manage reports online. This software is crucial for improving response times to fire incidents and enhancing the coordination between different emergency service providers. By digitizing the reporting process, it aims to make fire incident management more accessible and efficient. The system is designed for ease of use, ensuring that it can be effectively utilized by various stakeholders involved in fire management and emergency response.

The CVE-2022-31978 vulnerability in the Online Fire Reporting System version 1.0 pertains to an SQL Injection issue found in the /ofrs/classes/Master.php?f=delete_inquiry endpoint. This critical vulnerability arises due to the application's failure to properly sanitize user-supplied input, allowing attackers to inject and execute arbitrary SQL commands. Such a flaw can lead to unauthorized database access, data leakage, or even manipulation of the database contents, posing a significant security risk.

The specific point of injection is the id parameter within the /ofrs/classes/Master.php?f=delete_inquiry request, where malicious SQL statements can be inserted by attackers. This vulnerability is a direct result of inadequate input validation and sanitization procedures, enabling attackers to manipulate the underlying SQL queries executed by the application. Successful exploitation could allow an attacker to perform a variety of unauthorized actions, such as accessing sensitive data, modifying or deleting information, and potentially compromising the entire database's integrity.

Exploiting this SQL Injection vulnerability could have severe repercussions, including unauthorized access to sensitive data within the database, such as personal information of users and details of fire incidents. It could also lead to the alteration or deletion of critical data, significantly disrupting the application's operations and potentially impacting emergency response activities. Moreover, this vulnerability could serve as a gateway for further attacks, undermining the security and reliability of the system.

By utilizing the security scanning services provided by securityforeveryone, users can effectively identify and mitigate vulnerabilities like SQL Injection within their digital assets. Our platform offers a comprehensive Cyber Threat Exposure Management service, combining open-source and proprietary technologies to scan and secure online assets against a wide range of security threats. Joining our platform provides access to detailed vulnerability assessments, expert guidance, and tools necessary for maintaining robust cybersecurity defenses. This proactive approach to security can help safeguard your digital environment, ensuring the confidentiality, integrity, and availability of your data.

References

• https://github.com/debug601/bug_report/blob/main/vendors/oretnom23/online-fire-reporting-system/SQLi-5.md
• https://www.sourcecodester.com/php/15346/online-fire-reporting-system-phpoop-free-source-code.html
• https://nvd.nist.gov/vuln/detail/CVE-2022-31978