CVE-2022-45330 is a high-severity SQL Injection vulnerability identified in AeroCMS version 0.0.1, specifically exploitable via the 'Category' parameter in the \category.php script. SQL Injection (CWE-89) vulnerabilities occur when user-supplied input is improperly sanitized before being incorporated into SQL queries, allowing an attacker to manipulate the query structure. In this case, the vulnerability permits an unauthenticated remote attacker to inject malicious SQL code through the Category parameter, enabling unauthorized access to sensitive database information. The vulnerability has a CVSS 3.1 base score of 7.5, reflecting its high impact on confidentiality (complete database information disclosure), no requirement for privileges or user interaction, and network attack vector. The vulnerability does not impact integrity or availability directly but compromises confidentiality significantly. No patches or vendor advisories have been published, and there are no known exploits in the wild as of the published date (November 22, 2022). AeroCMS is a content management system, and while the exact market penetration or usage footprint is not specified, the presence of this vulnerability in a CMS component suggests potential exposure of websites or web applications using this software. Attackers exploiting this flaw could extract sensitive data such as user credentials, configuration details, or other protected information stored in the database, which could lead to further attacks or data breaches.

For European organizations using AeroCMS or derivative systems, this vulnerability poses a significant confidentiality risk. Unauthorized database access can lead to exposure of personal data, intellectual property, or business-critical information, potentially violating GDPR and other data protection regulations. The lack of authentication requirement and ease of exploitation increases the risk of automated attacks targeting vulnerable AeroCMS installations. Although no integrity or availability impact is directly indicated, the data disclosure alone could facilitate subsequent attacks such as privilege escalation, phishing, or lateral movement within networks. Organizations in sectors with high regulatory scrutiny (e.g., finance, healthcare, government) are particularly at risk due to the sensitivity of stored data and potential legal consequences. The absence of patches means organizations must rely on immediate mitigation strategies to reduce exposure. Given the CMS nature, public-facing web servers are likely attack vectors, increasing the risk of widespread exploitation if AeroCMS is used in European web infrastructure.

1. Immediate mitigation should include implementing Web Application Firewall (WAF) rules to detect and block SQL Injection attempts targeting the Category parameter in \category.php. 2. Conduct a thorough audit of all AeroCMS installations within the organization to identify vulnerable instances. 3. If possible, disable or restrict access to the vulnerable \category.php endpoint until a patch or update is available. 4. Employ input validation and parameterized queries or prepared statements in the CMS codebase to prevent SQL Injection, if source code access and modification are feasible. 5. Monitor web server logs for suspicious query patterns indicative of SQL Injection attempts. 6. Segregate the database with least privilege principles to limit data exposure in case of compromise. 7. Prepare incident response plans to address potential data breaches resulting from exploitation. 8. Engage with the AeroCMS community or vendor (if any) to track patch releases or security advisories. 9. Consider migrating to alternative CMS platforms with active security support if AeroCMS usage is critical and unpatched.