CVE-2022-24241
Description
ACEweb Online Portal 3.5.065 was discovered to contain an External Controlled File Path and Name vulnerability via the txtFilePath parameter in attachments.awp.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
ACEweb Online Portal 3.5.065 has an external controlled file path vulnerability in attachments.awp via txtFilePath parameter, allowing arbitrary file read/write.
Vulnerability
ACEweb Online Portal version 3.5.065 is vulnerable to an External Controlled File Path and Name (path traversal) in the attachments.awp script. The txtFilePath parameter does not properly sanitize user input, allowing an attacker to specify arbitrary file paths.
Exploitation
An attacker can exploit this vulnerability by sending a crafted HTTP request to the attachments.awp endpoint with a malicious txtFilePath parameter. No authentication is required. The attacker can specify paths like ../../../etc/passwd to read sensitive files or potentially write files.
Impact
Successful exploitation could allow an attacker to read or write arbitrary files on the server, leading to information disclosure, data modification, or potentially remote code execution depending on the files accessed.
Mitigation
No official fix or patched version has been disclosed in the available references. Affected users should monitor vendor updates and consider restricting access to attachments.awp or applying input validation if possible.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ACEweb/ACEweb Online Portaldescription
- Range: =3.5.065
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- aceware.commitrex_refsource_MISC
- aceweb.commitrex_refsource_MISC
- www.aceware.com/forum/viewtopic.phpmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.