PatchSiren cyber security CVE debrief

CVE-2022-2807 Algan Software CVE debrief

A critical SQL injection vulnerability exists in Algan Software's Prens Student Information System versions prior to 2.1.11. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands, potentially leading to complete database compromise, data exfiltration, or system takeover. The CVSS 3.1 score of 9.8 reflects network attackability with low complexity, no privileges required, and high impacts to confidentiality, integrity, and availability. The vulnerability was disclosed by the Turkish National Cyber Security Incident Response Team (USOM) in December 2022, with the CVE record subsequently modified in May 2026. Organizations using affected versions should upgrade to Prens Student Information System 2.1.11 or later immediately.

Vendor: Algan Software
Product: Prens Student Information System
CVSS: CRITICAL 9.8
CISA KEV: Not listed in stored evidence
Original CVE published: 2022-12-02
Original CVE updated: 2026-05-20
Advisory published: 2022-12-02
Advisory updated: 2026-05-20

Who should care

Educational institutions using Algan Prens Student Information System; database administrators; application security teams; compliance officers responsible for student data protection under regulations such as GDPR, FERPA, or local education privacy laws

Technical summary

The Prens Student Information System fails to properly sanitize user-supplied input before incorporating it into SQL queries. This classic SQL injection vulnerability (CWE-89) can be exploited without authentication, allowing attackers to bypass security controls, read sensitive student and administrative data, modify records, or execute administrative database operations. The vulnerability affects all versions prior to 2.1.11, with the fix implemented in version 2.1.11.

Defensive priority

critical

Recommended defensive actions

Upgrade Algan Prens Student Information System to version 2.1.11 or later immediately
Review database access logs for suspicious SQL queries from 2022-12-02 onward
Implement parameterized queries and input validation for all database interactions
Restrict network access to the student information system to authorized administrative hosts only
Conduct database integrity verification and review for unauthorized modifications
Enable comprehensive logging and monitoring for SQL query anomalies

Evidence notes

Vulnerability confirmed through official USOM advisory (TR-22-0708) and NVD CPE criteria indicating affected versions before 2.1.11. CWE-89 (SQL Injection) classification from both USOM and NVD sources.

Official resources

CVE-2022-2807 CVE record
CVE.org
CVE-2022-2807 NVD detail
NVD
Source item URL
nvd_modified
Source reference
[email protected]
Mitigation or vendor reference
[email protected] - Third Party Advisory

2022-12-02