Dynamicweb up to 9.12.x improper authentication

Summaryinfo

A vulnerability classified as critical has been found in Dynamicweb up to 9.12.x. Affected is an unknown function. This manipulation causes improper authentication. The identification of this vulnerability is CVE-2022-25369. It is possible to initiate the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

Detailsinfo

A vulnerability classified as critical was found in Dynamicweb up to 9.12.x. Affected by this vulnerability is some unknown processing. The manipulation with an unknown input leads to a improper authentication vulnerability. The CWE definition for the vulnerability is CWE-287. When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

An issue was discovered in Dynamicweb before 9.12.8. An attacker can add a new administrator user without authentication. This flaw exists due to a logic issue when determining if the setup phases of the product can be run again. Once an attacker is authenticated as the new admin user they have added, it is possible to upload an executable file and achieve command execution. This is fixed in 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8, and 9.13.0 (and later).

The advisory is shared at dynamicweb.com. This vulnerability is known as CVE-2022-25369 since 02/19/2022. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Neither technical details nor an exploit are publicly available.

Upgrading to version 9.5.9, 9.6.16, 9.7.8, 9.8.11, 9.9.8, 9.10.18, 9.12.8 or 9.13.0 eliminates this vulnerability.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Productinfo

Name

• Dynamicweb

Version

• 9.0
• 9.1
• 9.2
• 9.3
• 9.4
• 9.5
• 9.5.0
• 9.5.1
• 9.5.2
• 9.5.3
• 9.5.4
• 9.5.5
• 9.5.6
• 9.5.7
• 9.5.8
• 9.6
• 9.6.0
• 9.6.1
• 9.6.2
• 9.6.3
• 9.6.4
• 9.6.5
• 9.6.6
• 9.6.7
• 9.6.8
• 9.6.9
• 9.6.10
• 9.6.11
• 9.6.12
• 9.6.13
• 9.6.14
• 9.6.15
• 9.7
• 9.7.0
• 9.7.1
• 9.7.2
• 9.7.3
• 9.7.4
• 9.7.5
• 9.7.6
• 9.7.7
• 9.8
• 9.8.0
• 9.8.1
• 9.8.2
• 9.8.3
• 9.8.4
• 9.8.5
• 9.8.6
• 9.8.7
• 9.8.8
• 9.8.9
• 9.8.10
• 9.9
• 9.9.0
• 9.9.1
• 9.9.2
• 9.9.3
• 9.9.4
• 9.9.5
• 9.9.6
• 9.9.7
• 9.10
• 9.10.0
• 9.10.1
• 9.10.2
• 9.10.3
• 9.10.4
• 9.10.5
• 9.10.6
• 9.10.7
• 9.10.8
• 9.10.9
• 9.10.10
• 9.10.11
• 9.10.12
• 9.10.13
• 9.10.14
• 9.10.15
• 9.10.16
• 9.10.17
• 9.11
• 9.12
• 9.12.0
• 9.12.1
• 9.12.2
• 9.12.3
• 9.12.4
• 9.12.5
• 9.12.6
• 9.12.7

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Discussion