CVE-2022-43350 is a high-severity SQL injection vulnerability identified in Sanitization Management System version 1.0. The flaw exists in the handling of the 'id' parameter within the endpoint /php-sms/classes/Master.php?f=delete_inquiry. Specifically, the application fails to properly sanitize or validate the 'id' input before incorporating it into SQL queries. This allows an attacker with high privileges (PR:H) and network access (AV:N) to inject malicious SQL code, potentially manipulating the backend database. The vulnerability does not require user interaction (UI:N) and affects the confidentiality, integrity, and availability of the system (C:H/I:H/A:H). The CVSS 3.1 base score of 7.2 reflects these factors. Exploitation could lead to unauthorized data access, data modification, or deletion, and possibly full compromise of the database. Although no known exploits are currently reported in the wild, the vulnerability’s characteristics make it a significant risk, especially in environments where the Sanitization Management System is deployed. The CWE-89 classification confirms this is a classic SQL injection issue, a well-understood attack vector that remains a common cause of severe breaches.

For European organizations using the Sanitization Management System v1.0, this vulnerability poses a substantial risk. Successful exploitation could lead to unauthorized disclosure of sensitive data, including personal or health-related information if the system manages sanitization records in healthcare or public facilities. Data integrity could be compromised, resulting in inaccurate or falsified records, which may affect compliance with strict European data protection regulations such as GDPR. Availability impacts could disrupt operational continuity, especially in critical infrastructure or public health sectors relying on this system. The high privileges required for exploitation suggest that insider threats or compromised administrative accounts could be leveraged to exploit this vulnerability, increasing the risk in environments with insufficient access controls or monitoring. The lack of available patches further elevates the risk, necessitating immediate mitigation to prevent potential data breaches or service disruptions.

Given the absence of official patches, European organizations should implement immediate compensating controls. First, restrict network access to the vulnerable endpoint by applying firewall rules or network segmentation to limit exposure only to trusted administrative users. Enforce strict access controls and monitor administrative accounts for suspicious activity to reduce the risk of privilege misuse. Employ Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection attempts targeting the 'id' parameter in the delete_inquiry function. Conduct thorough input validation and sanitization at the application level, if source code access is available, to neutralize malicious inputs. Regularly audit database logs for anomalous queries indicative of injection attempts. Additionally, organizations should prepare for incident response by backing up critical data securely and ensuring rapid recovery capabilities. Engage with the vendor or community to track any forthcoming patches or updates addressing this vulnerability.