CVE-2023-2453

HIGH Year: 2023
CVSS v3 Score
8.8
High
Weakness Type
CWE-829
View all →

Vulnerability Description

There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.

Related Vulnerabilities

CVE-2018-18387

HIGH
CVSS:8.8(High)

playSMS through 1.4.2 allows Privilege Escalation through Daemon abuse.

CWE-8292018

CVE-2019-8154

HIGH
CVSS:8.8(High)

A remote code execution vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1. An authenticated user with privileges to modify product catalogs can trigger PHP fi...

CWE-8292019

CVE-2019-9829

HIGH
CVSS:8.8(High)

Maccms 10 allows remote attackers to execute arbitrary PHP code by entering this code in a template/default_pc/html/art Edit action. This occurs because template rendering uses an include operation on...

CWE-8292019

CVE-2021-30507

HIGH
CVSS:8.8(High)

Inappropriate implementation in Offline in Google Chrome on Android prior to 90.0.4430.212 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTM...

CWE-8292021

CVE-2022-22246

HIGH
CVSS:8.8(High)

A PHP Local File Inclusion (LFI) vulnerability in the J-Web component of Juniper Networks Junos OS may allow a low-privileged authenticated attacker to execute an untrusted PHP file. By chaining this ...

CWE-8292022

CVE-2022-30243

HIGH
CVSS:8.8(High)

Honeywell Alerton Visual Logic through 2022-05-04 allows unauthenticated programming writes from remote users. This enables code to be stored on the controller and then run without verification. A use...

CWE-8292022