CVE-2022-24637: Improper Privilege Management

March 19, 2022 (updated April 5, 2022)

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with ‘<?php (instead of the intended “<?php sequence) aren’t handled by the PHP interpreter.

References

devel0pment.de/?p=2494
github.com/Open-Web-Analytics/Open-Web-Analytics/releases/tag/1.7.4
github.com/advisories/GHSA-pr9q-v585-qv2w
nvd.nist.gov/vuln/detail/CVE-2022-24637

Detect and mitigate CVE-2022-24637 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →