CVE-2022-45291

Name of the Vulnerable Software and Affected Versions PWS Personal Weather Station Dashboard (PWS Dashboard) version 2012 lts

Description The issue allows remote code execution by injecting PHP code into settings.php. Attacks can use the "PWS printfile.php", "PWS frame text.php", "PWS listfile.php", "PWS winter.php", and "PWS easyweathersetup.php" endpoints. A contributing factor is a hardcoded login password of support, which is not documented. The issue was fixed in late 2022.

Recommendations For PWS Personal Weather Station Dashboard (PWS Dashboard) version 2012 lts, update to a version released after late 2022 to resolve the issue. As a temporary workaround, consider disabling access to the vulnerable endpoints until a patch is available. Restrict access to the settings.php file to minimize the risk of exploitation. Avoid using the hardcoded login password support until the issue is resolved.