Cavefxa

**Name of the Vulnerable Software and Affected Versions** PWS Personal Weather Station Dashboard (PWS Dashboard) version 2012 lts **Description** The issue allows remote code execution by injecting PHP code into settings.php. Attacks can use the "PWS printfile.php", "PWS frame text.php", "PWS listfile.php", "PWS winter.php", and "PWS easyweathersetup.php" endpoints. A contributing factor is a hardcoded login password of `support`, which is not documented. The issue was fixed in late 2022. **Recommendations** For PWS Personal Weather Station Dashboard (PWS Dashboard) version 2012 lts, update to a version released after late 2022 to resolve the issue. As a temporary workaround, consider disabling access to the vulnerable endpoints until a patch is available. Restrict access to the settings.php file to minimize the risk of exploitation. Avoid using the hardcoded login password `support` until the issue is resolved.