CVE-2022-44006
Published: 16 November 2022
Summary
CVE-2022-44006 is a critical-severity Path Traversal (CWE-22) vulnerability in Backclick Backclick. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 9.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2022-44006 affects BACKCLICK Professional version 5.9.63 and stems from improper validation or sanitization of upload filenames. An externally reachable update function allows files to be written outside the intended target directory, corresponding to CWE-22 path traversal and carrying a CVSS 3.1 score of 9.8.
Unauthenticated remote attackers can exploit the flaw over the network without user interaction to upload arbitrary content, including executable files, and thereby achieve remote code execution on the affected system.
Public advisories published by SySS at the referenced URLs describe the issue in detail and are accompanied by a related technical blog post on multiple vulnerabilities in the same product.
The associated EPSS score has remained flat at 0.0571 with no material increase observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-46969
Vulnerability details
An issue was discovered in BACKCLICK Professional 5.9.63. Due to improper validation or sanitization of upload filenames, an externally reachable, unauthenticated update function permits writing files outside the intended target location. Achieving remote code execution is possible, e.g., by uploading…
more
an executable file.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Validates pathnames and filenames to prevent traversal outside intended directories.