CVE-2022-24387

File upload and overwrite to app_data/Config in SmarterTrack v100.0.8019.14010

CVE

CVE-2022-24387

Title

File upload and overwrite to app_data/Config in SmarterTrack v100.0.8019.14010

Case

DIVD-2021-00029

Credits

Wietse Boonstra of DIVD ()

Affected products

Product	Affected	Unaffected	Unknown
SmarterTools SmarterTrack	>= 100.0.8019.x to < Build 8075 (custom)
SmarterTools SmarterTrack

CVSS

References

https://csirt.divd.nl/DIVD-2021-00029 ( x_refsource_CONFIRM, related )
https://csrit.divd.nl/CVE-2022-24387 ( x_refsource_CONFIRM, third-party-advisory )

Problem type(s)

CWE-434 Unrestricted Upload of File with Dangerous Type

Date published

Last modified

20 Jun 2024 12:59 UTC

Description

With administrator or admin privileges the application can be tricked into overwriting files in app_data/Config folder, e.g. the systemsettings.xml file. THis is possible in SmarterTrack v100.0.8019.14010

JSON version.

DIVD CSIRT

CVE-2022-24387

File upload and overwrite to app_data/Config in SmarterTrack v100.0.8019.14010

Description