CVE-2022-24637 Information

Description

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with ‘<?php (instead of the intended <?php sequence) aren’t handled by the PHP interpreter.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Reference

https://devel0pment.de/?p=2494 https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4

Attack Complexity

LOW

Privileges Required

NONE

User Interaction Required

NONE

Scope

NONE

Confidentiality Impact

UNCHANGED

Integrity Impact

HIGH

Availability Impact

HIGH

Base Score

HIGH

Base Severity

9.8