.. / CVE-2022-24637

Exploit for Open Web Analytics (OWA) < 1.7.4 - Sensitive Information Disclosure to RCE (CVE-2022-24637)

Description:

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with ‘<?php (instead of the intended “<?php sequence) aren’t handled by the PHP interpreter.

Proof of Concept

PoC exploit

https://github.com/0xM4hm0ud/CVE-2022-24637

Try the exploit in a lab environment:

Lab	Machine	Link
Hack The Box	Vessel	Go to Practice

References:

https://nvd.nist.gov/vuln/detail/CVE-2022-24637
https://devel0pment.de/?p=2494

.. / CVE-2022-24637 if(localStorage["style"]=="true"){ document.getElementById('pagestyle').setAttribute('href','/assets/styleDark.css'); document.querySelector('input[type="checkbox"]').checked = true }

Exploit for Open Web Analytics (OWA) < 1.7.4 - Sensitive Information Disclosure to RCE (CVE-2022-24637)

Description:

Proof of Concept

PoC exploit

Try the exploit in a lab environment:

.. / CVE-2022-24637