CVE-2022-47034
CVE-2022-47034 is a critical-severity vulnerability in Playsms with a CVSS 3.x base score of 9.8. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-697.
Key facts
- Severity: Critical (CVSS 3.x base score 9.8)
- EPSS exploit prediction: 1% (53rd percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-697
- Affected product: Playsms
- Published:
- Last modified:
Description
A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to bypass authentication.
Frequently asked questions
- What is CVE-2022-47034?
- A type juggling vulnerability in the component /auth/fn.php of PlaySMS v1.4.5 and earlier allows attackers to bypass authentication.
- How severe is CVE-2022-47034?
- CVE-2022-47034 has a CVSS 3.x base score of 9.8, rated critical severity. It is exploitable over network with low attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability high.
- Is CVE-2022-47034 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (53rd percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-47034?
- CVE-2022-47034 affects Playsms. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-47034?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its critical severity, prioritise patching exposed systems.
- When was CVE-2022-47034 published?
- CVE-2022-47034 was published on 2023-02-13 and last updated on 2026-06-17.
References
- https://gist.github.com/tonino-25/d2316094cc751cc7a8e2c1ae6dbecfe9
- https://github.com/playsms/playsms/commit/dd23673a00c052e113c6d44eb629dc355d3c0605
Affected products (1)
- cpe:2.3:a:playsms:playsms:*:*:*:*:*:*:*:*
More vulnerabilities in Playsms
- CVE-2021-40373 — Critical (CVSS 9.8): playSMS before 1.4.5 allows Arbitrary Code Execution by entering PHP code at the #tabs-information-page of…
- CVE-2020-8644 — Critical (CVSS 9.8): PlaySMS before 1.4.3 does not sanitize inputs from a malicious string.
- CVE-2017-9101 — Critical (CVSS 9.8): import.php (aka the Phonebook import feature) in PlaySMS 1.4 allows remote code execution via vectors involving the…
- CVE-2017-9080 — High (CVSS 8.8): PlaySMS 1.4 allows remote code execution because PHP code in the name of an uploaded .php file is executed.…
- CVE-2009-0103 — High (CVSS 7.5): Multiple PHP remote file inclusion vulnerabilities in playSMS 0.9.3 allow remote attackers to execute arbitrary PHP…
- CVE-2008-5881 — High (CVSS 7.5): Multiple directory traversal vulnerabilities in playSMS 0.9.3 allow remote attackers to include and execute arbitrary…
Other CWE-697 vulnerabilities
- CVE-2025-54336 — Critical (CVSS 9.8): In Plesk Obsidian 18.0.70, _isAdminPasswordValid uses an == comparison. Thus, if the correct password is "0e" followed…
- CVE-2024-24621 — Critical (CVSS 9.8): Softaculous Webuzo contains an authentication bypass vulnerability through the password reset functionality. Remote,…
- CVE-2024-5217 — Critical (CVSS 9.8): ServiceNow has addressed an input validation vulnerability that was identified in the Washington DC, Vancouver, and…
- CVE-2023-32571 — Critical (CVSS 9.8): Dynamic Linq 1.0.7.10 through 1.2.25 before 1.3.0 allows attackers to execute arbitrary code and commands when…
- CVE-2021-44971 — Critical (CVSS 9.8): Multiple Tenda devices are affected by authentication bypass, such as AC15V1.0 Firmware V15.03.05.20_multi?AC5V1.0…
- CVE-2021-3833 — Critical (CVSS 9.8): Integria IMS login check uses a loose comparator ("==") to compare the MD5 hash of the password provided by the user…