9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24637

GHSA ID

GHSA-pr9q-v585-qv2w

EPSS Score

0.99823%

CWE

CWE-269

Published

3/19/2022

Updated

3/17/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2022-24637

CVE-2022-24637:
Improper Privilege Management in Open Web Analytics

Open Web Analytics (OWA) before 1.7.4 allows an unauthenticated remote attacker to obtain sensitive user information, which can be used to gain admin privileges by leveraging cache hashes. This occurs because files generated with '<?php (instead of the intended "<?php sequence) aren't handled by the PHP interpreter.

(GitHub Advisory)

9.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2022-24637

GHSA ID

GHSA-pr9q-v585-qv2w

EPSS Score

0.99823%

CWE

CWE-269

Published

3/19/2022

Updated

3/17/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
open-web-analytics/open-web-analytics	composer	< 1.7.4	1.7.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The primary vulnerability stems from owa_fileCache::putItemToCacheStore's improper header generation, which directly causes sensitive data exposure via unparsed PHP files. This is confirmed by the devel0pment.de analysis showing single-quote usage in cache headers. The secondary function owa_optionsUpdateController::action is implicated in the exploit chain by allowing settings changes that facilitate RCE, as documented in the vulnerability's technical breakdown. Both functions are explicitly tied to the described attack vectors.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Op*n W** *n*lyti*s (OW*) ***or* *.*.* *llows *n un*ut**nti**t** r*mot* *tt**k*r to o*t*in s*nsitiv* us*r in*orm*tion, w*i** **n ** us** to **in **min privil***s *y l*v*r**in* ***** **s**s. T*is o**urs ****us* *il*s **n*r*t** wit* '<?p*p (inst*** o* t

Reasoning

T** prim*ry vuln*r**ility st*ms *rom ow*_*il******::putIt*mTo*****Stor*'s improp*r *****r **n*r*tion, w*i** *ir**tly **us*s s*nsitiv* **t* *xposur* vi* unp*rs** P*P *il*s. T*is is *on*irm** *y t** **v*l*pm*nt.** *n*lysis s*owin* sin*l*-quot* us*** in

9.8

Basic Information

Concerned about an active attack path?

CVE-2022-24637: Improper Privilege Management in Open Web Analytics

9.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2022-24637:
Improper Privilege Management in Open Web Analytics

Vulnerability Intelligence
Miggo AI