← Back to CVE List

CVE-2022-24688

Published: 2022-07-18T13:15Z
Last Modified: 2024-11-21T06:50Z
Source: MITRE CVE List
License: MITRE-CVE-TOS
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page. > MITRE Terms of Use apply – see LICENSE‑MITRE.txt