Vulnerability Details : CVE-2022-24637
Public exploit exists!
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
Products affected by CVE-2022-24637
- cpe:2.3:a:openwebanalytics:open_web_analytics:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-24637
96.90%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 100 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-24637
-
Open Web Analytics 1.7.3 - Remote Code Execution (RCE)
Disclosure Date: 2022-03-18First seen: 2023-09-11exploit/multi/http/open_web_analytics_rceOpen Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php
CVSS scores for CVE-2022-24637
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
5.0
|
MEDIUM | AV:N/AC:L/Au:N/C:P/I:N/A:N |
10.0
|
2.9
|
NIST | |
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-24637
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-24637
-
http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
Open Web Analytics 1.7.3 Remote Code Execution ≈ Packet Storm
-
https://devel0pment.de/?p=2494
From Single / Double Quote Confusion To RCE (CVE-2022-24637) – devel0pment.deExploit;Mitigation;Patch;Third Party Advisory
-
http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
Open Web Analytics 1.7.3 Remote Code Execution ≈ Packet StormExploit;Third Party Advisory;VDB Entry
-
https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
Release Release 1.7.4 · Open-Web-Analytics/Open-Web-Analytics · GitHubRelease Notes;Third Party Advisory
Jump to