CVE-2023-53888

Zomplog 3.9 contains a remote code execution vulnerability that allows authenticated attackers to inject and execute arbitrary PHP code through file manipulation endpoints. Attackers can upload malicious JavaScript files, rename them to PHP, and execute system commands by exploiting the saveE and rename actions in the application.
Code Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
VulnCheckCNA
---
---
CISA-ADPADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 59%
VendorProductVersion
zompzomplog
3.9
𝑥
= Vulnerable software versions
Common Weakness Enumeration
References
https://web.archive.org/web/20080616153330/http://zomp.nl/zomplog/
https://www.exploit-db.com/exploits/51624
https://www.vulncheck.com/advisories/zomplog-remote-code-execution-via-authenticated-file-manipulation
https://www.exploit-db.com/exploits/51624