CVE-2022-50895: Aero CMS SQL Injection Vulnerability

CVE-2022-50895 Overview

CVE-2022-50895 is a SQL injection vulnerability [CWE-89] in Aero CMS version 0.0.1. The flaw resides in the author parameter, which fails to sanitize user-supplied input before incorporating it into backend database queries. Unauthenticated attackers can exploit the issue using boolean-based, error-based, time-based blind, and UNION query techniques. Successful exploitation enables extraction of arbitrary database contents, including credentials and configuration data, and can lead to broader system compromise. The vulnerability is reachable over the network without authentication or user interaction.

Critical Impact
Remote, unauthenticated attackers can execute arbitrary SQL queries against the Aero CMS backend database and exfiltrate sensitive data.

Affected Products

Aero CMS 0.0.1 (aerocms_project:aerocms:0.0.1)
Distributions sourced from the MegaTKC/AeroCMS GitHub repository
Deployments using the unpatched author parameter handler

Discovery Timeline

2026-01-13 - CVE-2022-50895 published to NVD
2026-03-02 - Last updated in NVD database

Technical Details for CVE-2022-50895

Vulnerability Analysis

The vulnerability is a classic SQL injection flaw classified under [CWE-89]: Improper Neutralization of Special Elements used in an SQL Command. Aero CMS 0.0.1 passes the author HTTP parameter directly into a SQL query without parameterization or input validation. Attackers can inject SQL syntax that alters the structure of the query and forces the database to return data outside of the intended result set.

Four distinct injection techniques are viable against the endpoint: boolean-based blind, error-based, time-based blind, and UNION-based. Boolean and time-based variants allow data inference when query results are not returned to the response body. Error-based injection abuses verbose database error messages to leak query output. UNION-based injection concatenates attacker-controlled SELECT statements to extract data from arbitrary tables.

Root Cause

The root cause is the absence of prepared statements or parameterized queries in the request handler that processes the author parameter. User input is concatenated directly into the SQL string sent to the database engine. No allowlist filtering, escaping, or type enforcement is applied prior to query execution.

Attack Vector

Exploitation occurs over the network against the Aero CMS web interface. An attacker submits a crafted value for the author parameter in an HTTP request. No credentials and no user interaction are required. The vulnerability manifests in a publicly reachable endpoint, making mass exploitation practical against exposed instances.

The attack pattern follows standard SQLi tradecraft: probing with single quotes and boolean payloads to confirm injection, then escalating to UNION or time-based extraction. Technical details and a working proof of concept are documented in the Exploit-DB #51022 entry and the GitHub PoC Repository.

Detection Methods for CVE-2022-50895

Indicators of Compromise

HTTP requests containing SQL metacharacters such as ', --, UNION SELECT, SLEEP(, or BENCHMARK( in the author query parameter
Web server access logs showing repeated requests to Aero CMS endpoints with incrementing or boolean-style author values
Database error messages referencing MySQL syntax errors logged near the time of suspicious HTTP requests
Unusually long response times correlated with author parameter requests, indicating time-based blind probing

Detection Strategies

Deploy web application firewall signatures that match SQL injection patterns in the author parameter
Enable database query logging and alert on UNION SELECT, INFORMATION_SCHEMA, or SLEEP calls originating from the CMS service account
Monitor outbound data volume from the database host for anomalous spikes consistent with bulk table extraction

Monitoring Recommendations

Correlate web access logs with database audit logs to identify request-to-query chains containing injection payloads
Track authentication and password reset activity following any confirmed probe of the author endpoint
Review file system changes on the web server, since SQLi can be chained with INTO OUTFILE writes for webshell deployment

How to Mitigate CVE-2022-50895

Immediate Actions Required

Remove Aero CMS 0.0.1 from production and replace it with a supported content management platform, since the project is archived and unmaintained
Restrict network access to the application until migration is complete, allowing only trusted source IP ranges
Rotate all database credentials, CMS administrator passwords, and any secrets that were retrievable via the affected database
Audit the database for unauthorized accounts, modified content, or webshells dropped through INTO OUTFILE SQLi chains

Patch Information

No official vendor patch is available. The upstream project at MegaTKC/AeroCMS is archived and no longer maintained. The VulnCheck Advisory confirms the lack of a fix and recommends decommissioning the software.

Workarounds

Place the application behind a web application firewall with SQL injection rule sets tuned for the author parameter
Apply database least-privilege by restricting the CMS database user to read-only access on required tables and removing FILE privileges
Disable verbose database error reporting in the application to limit error-based injection feasibility
Implement reverse proxy rules that reject requests where the author parameter contains SQL metacharacters

bash

# Example NGINX rule to block obvious SQLi payloads in the author parameter
if ($arg_author ~* "(union|select|sleep|benchmark|information_schema|--|';)") {
    return 403;
}