CVE-2022-24637

CVE Database · CVE-2022-24637

CVE-2022-24637

· CRITICALModified

CVSS v3.1

9.8

EPSS

99.13%

Published

Mar 18, 2022

Modified

Nov 21, 2024

Public PoC / Exploit (3)

All weaponized →

Exploit-DBOpen Web Analytics 1.7.3 - Remote Code Execution NucleiNuclei detection template TrickestTrickest PoC index

Links to public security research (Exploit-DB, Nuclei, Trickest, GitHub) for defensive use only.

Description

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Weaknesses (CWE)

CWE-269

Affected Products (1)

openwebanalytics · open_web_analytics (up to 1.7.4)vulnerable

References (8)

http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html

ExploitThird Party AdvisoryVDB Entry

http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html

https://devel0pment.de/?p=2494

ExploitMitigationPatch

https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4

Release NotesThird Party Advisory

http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html

ExploitThird Party Advisory

KEV Catalog EPSS Scores Vendors All CVEs