CVE-2023-38874

Published: Sep 28, 2023Modified: Nov 21, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry. Afterwards, the attacker may visit the web shell and execute arbitrary commands.

Affected (2)

Products: Economizzer: Economizzer

1 product

Configuration A

2 vulnerable

Vulnerable Software	Affected Versions
Economizzer Economizzer	Version 0.9 beta1
Economizzer Economizzer	Version april_2023

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

References (6)

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38874

Source: cve@mitre.org

ExploitThird Party Advisory

https://github.com/gugoan/economizzer

Source: cve@mitre.org

Product

https://www.economizzer.org

Source: cve@mitre.org

Product

https://github.com/dub-flow/vulnerability-research/tree/main/CVE-2023-38874

Source: af854a3a-2127-422b-91ae-364da2661108

ExploitThird Party Advisory

https://github.com/gugoan/economizzer

Source: af854a3a-2127-422b-91ae-364da2661108

Product

https://www.economizzer.org

Source: af854a3a-2127-422b-91ae-364da2661108

Product

Timeline

No history available yet.