mirror of
https://github.com/fkie-cad/nvd-json-data-feeds.git
synced 2025-06-07 13:36:56 +00:00
111 lines
3.5 KiB
JSON
111 lines
3.5 KiB
JSON
{
|
|
"id": "CVE-2023-2453",
|
|
"sourceIdentifier": "disclosure@synopsys.com",
|
|
"published": "2023-09-05T15:15:42.377",
|
|
"lastModified": "2023-09-08T17:27:41.190",
|
|
"vulnStatus": "Analyzed",
|
|
"cveTags": [],
|
|
"descriptions": [
|
|
{
|
|
"lang": "en",
|
|
"value": "There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a \u2018require_once\u2019 statement. This allows arbitrary files with the \u2018.php\u2019 extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a \u2018.php\u2019 file payload."
|
|
},
|
|
{
|
|
"lang": "es",
|
|
"value": "La limpieza de nombres de archivo contaminados que se concatenan directamente con una ruta que posteriormente se pasa a una sentencia 'require_once' es insuficiente. Esto permite que se incluyan y ejecuten archivos arbitrarios con la extensi\u00f3n '.php' cuya ruta absoluta se conoce. No hay medios conocidos en PHPFusion a trav\u00e9s de los cuales un atacante pueda cargar y apuntar a una carga \u00fatil de archivo '.php'."
|
|
}
|
|
],
|
|
"metrics": {
|
|
"cvssMetricV31": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 8.8,
|
|
"baseSeverity": "HIGH"
|
|
},
|
|
"exploitabilityScore": 2.8,
|
|
"impactScore": 5.9
|
|
},
|
|
{
|
|
"source": "disclosure@synopsys.com",
|
|
"type": "Secondary",
|
|
"cvssData": {
|
|
"version": "3.1",
|
|
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
|
|
"attackVector": "NETWORK",
|
|
"attackComplexity": "LOW",
|
|
"privilegesRequired": "LOW",
|
|
"userInteraction": "NONE",
|
|
"scope": "UNCHANGED",
|
|
"confidentialityImpact": "HIGH",
|
|
"integrityImpact": "HIGH",
|
|
"availabilityImpact": "HIGH",
|
|
"baseScore": 8.8,
|
|
"baseSeverity": "HIGH"
|
|
},
|
|
"exploitabilityScore": 2.8,
|
|
"impactScore": 5.9
|
|
}
|
|
]
|
|
},
|
|
"weaknesses": [
|
|
{
|
|
"source": "nvd@nist.gov",
|
|
"type": "Primary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-829"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"source": "disclosure@synopsys.com",
|
|
"type": "Secondary",
|
|
"description": [
|
|
{
|
|
"lang": "en",
|
|
"value": "CWE-829"
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"configurations": [
|
|
{
|
|
"nodes": [
|
|
{
|
|
"operator": "OR",
|
|
"negate": false,
|
|
"cpeMatch": [
|
|
{
|
|
"vulnerable": true,
|
|
"criteria": "cpe:2.3:a:php-fusion:phpfusion:*:*:*:*:*:*:*:*",
|
|
"versionEndIncluding": "9.10.30",
|
|
"matchCriteriaId": "593D7CFA-FF94-4476-98CF-C83A17292E94"
|
|
}
|
|
]
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"references": [
|
|
{
|
|
"url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/",
|
|
"source": "disclosure@synopsys.com",
|
|
"tags": [
|
|
"Third Party Advisory"
|
|
]
|
|
}
|
|
]
|
|
} |