Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1wcjlxLXY1ODUtcXYyd800vg
Improper Privilege Management in Open Web Analytics
Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.
Permalink: https://github.com/advisories/GHSA-pr9q-v585-qv2wJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wcjlxLXY1ODUtcXYyd800vg
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: about 2 years ago
Updated: about 1 year ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-pr9q-v585-qv2w, CVE-2022-24637
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-24637
- https://devel0pment.de/?p=2494
- https://github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
- http://packetstormsecurity.com/files/169811/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
- http://packetstormsecurity.com/files/171389/Open-Web-Analytics-1.7.3-Remote-Code-Execution.html
- https://github.com/advisories/GHSA-pr9q-v585-qv2w
Blast Radius: 1.0
Affected Packages
packagist:open-web-analytics/open-web-analytics
Dependent packages: 0Dependent repositories: 0
Downloads: 62 total
Affected Version Ranges: < 1.7.4
Fixed in: 1.7.4
All affected versions: 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.7.0, 1.7.1, 1.7.2, 1.7.3
All unaffected versions: 1.7.4, 1.7.5, 1.7.6, 1.7.7, 1.7.8