// For flags

CVE-2022-24637

Open Web Analytics 1.7.3 - Remote Code Execution

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

10
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

Open Web Analytics (OWA) versiones anteriores a 1.7.4, permite a un atacante remoto no autenticado obtener información confidencial del usuario, que puede ser usada para alcanzar privilegios de administrador al aprovechar los hashes de la caché. Esto ocurre porque los archivos generados con "(?php (en lugar de la secuencia "(?php" prevista) no son manejados por el intérprete de PHP

Open Web Analytics (OWA) versions prior to 1.7.4 allow an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
None
Confidentiality
Partial
Integrity
None
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2022-02-07 CVE Reserved
  • 2022-03-18 CVE Published
  • 2022-08-30 First Exploit
  • 2024-08-03 CVE Updated
  • 2024-11-05 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-269: Improper Privilege Management
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Openwebanalytics
Search vendor "Openwebanalytics"
Open Web Analytics
Search vendor "Openwebanalytics" for product "Open Web Analytics"
< 1.7.4
Search vendor "Openwebanalytics" for product "Open Web Analytics" and version " < 1.7.4"
-
Affected