CVE-2022-24637

high-risk
Published 2022-03-18

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Do I need to act?

!
93.8% chance of exploitation in next 30 days
EPSS score — higher than 6% of all CVEs
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
!
1 public exploit available
51026
+
Fix available
Upgrade to: f2763b17fc88af8465de151004e698a51ec9c8a5, f2763b17fc88af8465de151004e698a51ec9c8a5
9
CVSS 9.8/10 Critical
NETWORK / LOW complexity

Affected Products (1)

Affected Vendors

Openwebanalytics

References (8)

Exploit http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code...
http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code...
Exploit https://devel0pment.de/?p=2494
Release Notes https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
Exploit http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code...
http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code...
Exploit https://devel0pment.de/?p=2494
Release Notes https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
57
/ 100
high-risk
Severity 32/34 · Critical
Exploitability 20/34 · Moderate
Exposure 5/34 · Minimal