PWS Personal Weather Station Dashboard (PWS_Dashboard) LTS December 2020 (2012_lts) allows remote code execution by injecting PHP code into settings.php. Attacks can use the PWS_printfile.php, PWS_frame_text.php, PWS_listfile.php, PWS_winter.php, and PWS_easyweathersetup.php endpoints. A contributing factor is a hardcoded login password of support, which is not documented. (This is not the same as the documented setup password, which is 12345.) The issue was fixed in late 2022.
Metrics
Affected Vendors & Products
References
History
No history.
MITRE
Status: PUBLISHED
Assigner: mitre
Published: 2023-04-25T00:00:00
Updated: 2024-08-03T14:09:56.967Z
Reserved: 2022-11-14T00:00:00
Link: CVE-2022-45291
Vulnrichment
No data.
NVD
Status : Modified
Published: 2023-04-25T19:15:10.520
Modified: 2024-11-21T07:29:01.313
Link: CVE-2022-45291
Redhat
No data.