Cyber Resilience

CVE-2022-32199

MediumPublic PoC

Published: 27 March 2023

Published
27 March 2023
Modified
19 February 2025
KEV Added
Patch
CVSS Score v3.1 6.5 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.1312 94.3th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-32199 is a medium-severity Path Traversal (CWE-22) vulnerability in Scriptcase Scriptcase. Its CVSS base score is 6.5 (Medium).

Operationally, ranked in the top 5.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2022-32199 is an arbitrary file deletion vulnerability in db_convert.php within ScriptCase through version 9.9.008. The flaw stems from improper handling of the file parameter, permitting directory traversal sequences and falling under CWE-22, with a CVSS 3.1 score of 6.5 reflecting network-accessible exploitation that requires high privileges but yields high impact on integrity and availability.

An authenticated administrator can exploit the issue remotely with low complexity and no user interaction required, enabling deletion of arbitrary files on the underlying system and potential disruption of application functionality or data integrity.

Public references consist of a GitHub repository containing exploit details alongside the vendor download page at scriptcase.net, which serves as the source for obtaining updated ScriptCase releases. The associated EPSS values show a current score of 0.1312 against a recorded peak of 0.1607.

EU & UK References

Vulnerability details

db_convert.php in ScriptCase through 9.9.008 is vulnerable to Arbitrary File Deletion by an admin via a directory traversal sequence in the file parameter.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

scriptcase
scriptcase
≤ 9.9.008

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-22

Validates pathnames and filenames to prevent traversal outside intended directories.

References