CVE-2022-24629

An issue was discovered in AudioCodes Device Manager Express through 7.8.20002.47752. Remote code execution can be achieved via directory traversal in the dir parameter of the file upload functionality of BrowseFiles.php. An attacker can upload a .php file to WebAdmin/admin/AudioCodes_files/ajax/.
References
Link Resource
http://seclists.org/fulldisclosure/2023/Feb/12 Exploit Mailing List Third Party Advisory
http://seclists.org/fulldisclosure/2023/Feb/12 Exploit Mailing List Third Party Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:audiocodes:device_manager_express:*:*:*:*:*:*:*:*

History

21 Nov 2024, 06:50

Type Values Removed Values Added
References () http://seclists.org/fulldisclosure/2023/Feb/12 - Exploit, Mailing List, Third Party Advisory () http://seclists.org/fulldisclosure/2023/Feb/12 - Exploit, Mailing List, Third Party Advisory

02 Jun 2023, 03:05

Type Values Removed Values Added
CWE CWE-22
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8
CPE cpe:2.3:a:audiocodes:device_manager_express:*:*:*:*:*:*:*:*
References (MISC) http://seclists.org/fulldisclosure/2023/Feb/12 - (MISC) http://seclists.org/fulldisclosure/2023/Feb/12 - Exploit, Mailing List, Third Party Advisory

29 May 2023, 21:15

Type Values Removed Values Added
New CVE

Information

Published : 2023-05-29 21:15

Updated : 2024-11-21 06:50


NVD link : CVE-2022-24629

Mitre link : CVE-2022-24629

CVE.ORG link : CVE-2022-24629


JSON object : View

Products Affected

audiocodes

  • device_manager_express
CWE
CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')