Vulnerability Details : CVE-2022-36536
Public exploit exists!
An issue in the component post_applogin.php of Super Flexible Software GmbH & Co. KG Syncovery 9 for Linux v9.47x and below allows attackers to escalate privileges via creating crafted session tokens.
Products affected by CVE-2022-36536
- cpe:2.3:a:syncovery:syncovery:*:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2022-36536
3.67%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 92 %
Percentile, the proportion of vulnerabilities that are scored at or less
Metasploit modules for CVE-2022-36536
-
Syncovery For Linux Web-GUI Session Token Brute-Forcer
Disclosure Date: 2022-09-06First seen: 2022-12-23auxiliary/scanner/http/syncovery_linux_token_cve_2022_36536This module attempts to brute-force a valid session token for the Syncovery File Sync & Backup Software Web-GUI by generating all possible tokens, for every second between 'DateTime.now' and the given X day(s). By default today and yesterday (DAYS = 1) will be checked.
CVSS scores for CVE-2022-36536
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST |
CWE ids for CVE-2022-36536
-
The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.Assigned by: nvd@nist.gov (Primary)
References for CVE-2022-36536
-
http://syncovery.com
File Sync & Backup Software | The versatile all-in solutionBroken Link
-
http://super.com
Copy of Универсальная страница компанииNot Applicable
-
https://www.mgm-sp.com/en/multiple-vulnerabilities-in-syncovery-for-linux/
Multiple vulnerabilities in Syncovery for LinuxExploit;Third Party Advisory
Jump to