CVE-2022-24387

File upload and overwrite to app_data/Config in SmarterTrack v100.0.8019.14010

Severity Score

7.2

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track*

*SSVC

Descriptions

With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010

Con privilegios de administrador o de administrador puede engañarse a la aplicación para que sobrescriba los archivos de la carpeta app_data/Config, por ejemplo, el archivo systemsettings.xml. Esto es posible en SmarterTrack versión v100.0.8019.14010

*Credits: Wietse Boonstra of DIVD

CVSS Scores

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:Track*

Exploitation

None

Automatable

Tech. Impact

Total

* Organization's Worst-case Scenario

Timeline

2022-02-03 CVE Reserved
2022-03-14 CVE Published
2024-12-17 EPSS Updated
2025-01-09 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-434: Unrestricted Upload of File with Dangerous Type

CAPEC

References (3)

URL	Tag	Source
https://csirt.divd.nl/DIVD-2021-00029	Related
https://csrit.divd.nl/CVE-2022-24387	Broken Link
https://csirt.divd.nl/CVE-2022-24387	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Smartertools Search vendor "Smartertools"		Smartertrack Search vendor "Smartertools" for product "Smartertrack"				>= 100.0.8019 < 100.0.8075 Search vendor "Smartertools" for product "Smartertrack" and version " >= 100.0.8019 < 100.0.8075"		-		Affected