CVE-2022-24637

Опубликовано: 18 мар. 2022

Источник: nvd

CVSS3: 9.8

CVSS2: 5

EPSS Критический

Описание

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Ссылки

http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
https://devel0pment.de/?p=2494
Exploit
Mitigation
Patch
Third Party Advisory
https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
Release Notes
Third Party Advisory
http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
Exploit
Third Party Advisory
VDB Entry
http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
https://devel0pment.de/?p=2494
Exploit
Mitigation
Patch
Third Party Advisory
https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
Release Notes
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:openwebanalytics:open_web_analytics:*:*:*:*:*:*:*:*

Версия до 1.7.4 (исключая)

EPSS

Процентиль: 100%

0.93893

Критический

9.8 Critical

CVSS3

5 Medium

CVSS2

Дефекты

CWE-269

Связанные уязвимости

GHSA-pr9q-v585-qv2w