LiveActive security incident?Get immediate response
CVE Record

CVE-2022-31384: Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname p...

Directory Management System v1.0 was discovered to contain a SQL injection vulnerability via the fullname parameter in add-directory.php.

UnknownCVSS not scoredNot KEV-listedUpdated
Glexia's TakeAutomated analysismoderate

Security readout for executives and security teams

Plain-English summary

CVE-2022-31384 is a reported SQL injection flaw in Directory Management System v1.0. The issue is tied to the fullname parameter in add-directory.php. If reachable, this class of flaw can let attackers manipulate database queries. Public evidence is limited, and no CISA KEV listing or CVSS score is provided.

Executive priority

Prioritize review if this application is internet-facing or stores sensitive directory data. Because patch information is absent from the provided sources, the immediate business action is exposure identification, access restriction, and vendor or project guidance review.

Technical view

The CVE record describes SQL injection in Directory Management System v1.0 through the fullname parameter of add-directory.php. The source bundle lists no CWE, CVSS, vendor advisory, patch version, or standardized affected CPE. A GitHub proof-of-concept reference is listed, but the bundle does not establish active exploitation.

Likely exposure

Exposure is likely limited to organizations running Directory Management System v1.0 with add-directory.php accessible to users or the internet. The affected vendor and CPE data are not normalized in the CVE record, so asset discovery may require manual application inventory review.

Exploitation context

A public GitHub PoC reference exists, increasing researcher and attacker awareness. However, the provided sources do not show confirmed exploitation in the wild, and the CVE is not marked as CISA KEV. Treat internet-exposed instances as higher priority.

Researcher notes

The CVE metadata is sparse: severity, CVSS, CWE, vendor, product CPE, and fix data are absent or unspecified. The named affected software and parameter come from the CVE description. Avoid assuming broader product impact without confirming the exact application and version.

Mitigation direction

  • Identify whether Directory Management System v1.0 is deployed.
  • Check the project or vendor source for any security update or guidance.
  • Restrict access to add-directory.php where business use permits.
  • Ensure database access uses parameterized queries, not string-built SQL.
  • Apply compensating controls such as WAF rules if patch status is unclear.

Validation and detection

  • Search asset inventory for Directory Management System v1.0.
  • Confirm whether add-directory.php exists on deployed instances.
  • Review code handling of the fullname parameter.
  • Check web and database logs for suspicious input patterns.
  • Perform authorized validation in a non-production environment.
Prepared
Confidence
medium
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

description · low confidence lookup

Database behavior lookup

The CVE wording references database injection or access, so collection and exfiltration review may help. This is a Glexia inferred lookup path, not an official MITRE, ATT&CK, or CVE Program mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2022-31384 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Unknown
CVSS
Not scored
Known Exploited
No
Published
Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

0CVSS vectors
3Timeline events
1ADP providers
2Source links

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CVECVE Program Container
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
n/an/an/aListed
Weakness

CWE details

No CWE listed

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.