← Voltar para CVEs
CVE-2023-53895
CRITICAL9.8
Descricao
PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.
Detalhes CVE
Pontuacao CVSS v3.19.8
SeveridadeCRITICAL
Vetor CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vetor de ataqueNETWORK
ComplexidadeLOW
Privilegios necessariosNONE
Interacao do usuarioNONE
Publicado12/16/2025
Ultima modificacao12/30/2025
Fontenvd
Avistamentos honeypot0
Produtos afetados
potsky:pimp_my_log
Fraquezas (CWE)
CWE-285
Referencias
https://github.com/potsky/PimpMyLog(disclosure@vulncheck.com)
https://www.exploit-db.com/exploits/51593(disclosure@vulncheck.com)
https://www.pimpmylog.com/(disclosure@vulncheck.com)
https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint(disclosure@vulncheck.com)
Correlacoes IOC
Sem correlacoes registradas
This product uses data from the NVD API but is not endorsed or certified by the NVD.