CVE-2022-24629

Exploit

EPSS 45.66%
Veröffentlicht 29.05.2023 21:15:09
Zuletzt bearbeitet 14.01.2025 18:15:23
Quelle cve@mitre.org
CVE-Watchlists
Login
Unerledigt
Login

An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 4

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Audiocodes ≫ Device Manager Express Version <= 7.8.20002.47752

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	45.66%	0.975

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
134c704f-9b21-4f2e-91b3-4a467353bcc0	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

http://seclists.org/fulldisclosure/2023/Feb/12

Third Party Advisory

Exploit

Mailing List

https://nvd.nist.gov/vuln/detail/CVE-2022-24629

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-24629

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-24629

EUVD