CVE-2022-32199
Published: 27 March 2023
Summary
CVE-2022-32199 is a medium-severity Path Traversal (CWE-22) vulnerability in Scriptcase Scriptcase. Its CVSS base score is 6.5 (Medium).
Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-32199 is an arbitrary file deletion vulnerability in db_convert.php within ScriptCase through version 9.9.008. The flaw stems from improper handling of the file parameter, permitting directory traversal sequences and falling under CWE-22, with a CVSS 3.1 score of 6.5 reflecting network-accessible exploitation that requires high privileges but yields high impact on integrity and availability.
An authenticated administrator can exploit the issue remotely with low complexity and no user interaction required, enabling deletion of arbitrary files on the underlying system and potential disruption of application functionality or data integrity.
Public references consist of a GitHub repository containing exploit details alongside the vendor download page at scriptcase.net, which serves as the source for obtaining updated ScriptCase releases. The associated EPSS values show a current score of 0.1312 against a recorded peak of 0.1607.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-53407
Vulnerability details
db_convert.php in ScriptCase through 9.9.008 is vulnerable to Arbitrary File Deletion by an admin via a directory traversal sequence in the file parameter.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.