High severity8.8NVD Advisory· Published Jul 18, 2022· Updated Jun 17, 2026
CVE-2022-24688
CVE-2022-24688
Description
An issue was discovered in DSK DSKNet 2.16.136.0 and 2.17.136.5. The Touch settings allow unrestricted file upload (and consequently Remote Code Execution) via PDF upload with PHP content and a .php extension. The attacker must hijack or obtain privileged user access to the Parameters page in order to exploit this issue. (That can be easily achieved by exploiting the Broken Access Control with further Brute-force attack or SQL Injection.) The uploaded file is stored within the database and copied to the sync web folder if the attacker visits a certain .php?action= page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- DSK/DSKNetdescription
Patches
Vulnerability mechanics
References
2- github.com/post-cyberlabs/CVE-Advisory/blob/main/CVE-2022-24688-92.pdfnvdExploitThird Party Advisory
- dsk.lu/fr/produits/temps-de-presencenvdVendor Advisory
News mentions
0No linked articles in our index yet.