← voltar
CVE-2023-53895

PimpMyLog 1.7.14 Improper Access Control via Account Creation Endpoint

CVSS 9.3 CRITICALEPSS 0.6%CWE-285
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Produtos afetados
Pimpmylog · PimpMyLog

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →
Referências
https://github.com/potsky/PimpMyLoghttps://www.exploit-db.com/exploits/51593https://www.pimpmylog.com/https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint