Cyber Resilience

CVE-2022-24108

CriticalPublic PoCRCE

Published: 17 May 2022

Published
17 May 2022
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.3776 97.3th percentile
Risk Priority 42 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-24108 is a critical-severity Deserialization of Untrusted Data (CWE-502) vulnerability in Skyoftech So Listing Tabs. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The Skyoftech So Listing Tabs module version 2.2.0 for OpenCart is affected by an unsafe deserialization vulnerability tracked as CVE-2022-24108. The flaw, assigned CWE-502, permits a remote attacker to supply a serialized PHP object through the module's setting parameter, which is then deserialized without validation. This carries a CVSS 3.1 score of 9.8 and can lead to arbitrary file writes, denial of service, or remote code execution on the server.

An unauthenticated attacker with network access can exploit the issue directly by crafting and submitting a malicious serialized payload, bypassing any authentication or user interaction requirements. Successful exploitation grants the ability to execute arbitrary code, modify files, or disrupt service availability on the affected OpenCart installation.

The EPSS score for this CVE currently stands at 0.3776 with a recorded peak of 0.4064, indicating moderate and relatively stable exploitation interest since disclosure. Public references include exploit code and module pages on Packet Storm and Full Disclosure, but no specific patch or mitigation guidance is detailed in the available information.

EU & UK References

Vulnerability details

The Skyoftech So Listing Tabs module 2.2.0 for OpenCart allows a remote attacker to inject a serialized PHP object via the setting parameter, potentially resulting in the ability to write to files on the server, cause DoS, and achieve remote…

more

code execution because of deserialization of untrusted data.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

skyoftech
so listing tabs
2.2.0

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-502

Evaluation of untrusted data handling (deserialization testing) reveals unsafe processing, which the required remediation process addresses.

addresses: CWE-502

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Validates or rejects untrusted serialized data before deserialization occurs.

addresses: CWE-502

Identifies and blocks malicious code introduced through deserialization of untrusted data at system boundaries.

addresses: CWE-502

Integrity verification of serialized information can detect tampering before deserialization occurs.

addresses: CWE-502

Provenance of associated data allows detection of untrusted sources before deserialization or processing occurs.

References