CVE-2023-53895
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Summary
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Pimpmylog | PimpMyLog | 1.7.14 | affected |
Weaknesses
- CWE-285: Improper Authorization
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: yes
- Technical Impact: total
References
- https://www.exploit-db.com/exploits/51593
- https://www.pimpmylog.com/
- https://github.com/potsky/PimpMyLog
- https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.