VYPR
High severity8.8NVD Advisory· Published Jul 18, 2022· Updated Jun 17, 2026

CVE-2022-24688

CVE-2022-24688

Description

An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

2
  • DSK/DSKNetdescription
  • DSK/DSKNetllm-fuzzy
    Range: 2.16.136.0, 2.17.136.5

Patches

Vulnerability mechanics

References

2

News mentions

0

No linked articles in our index yet.