Search
Find a vulnerability
Search criteria
ⓘ
Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.
4 vulnerabilities by paijp
CVE-2023-46723 (GCVE-0-2023-46723)
Vulnerability from nvd – Published: 2023-10-31 15:34 – Updated: 2024-09-05 20:14
VLAI
Title
lte-pic32-writer's sendto.txt may disclose URL and the API key
Summary
lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`.
Severity
8.9 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/paijp/lte-pic32-writer/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| paijp | lte-pic32-writer |
Affected:
<= 0.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:13:54.160029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:14:13.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lte-pic32-writer",
"vendor": "paijp",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T15:34:44.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh"
}
],
"source": {
"advisory": "GHSA-9qgg-ph2v-v4mh",
"discovery": "UNKNOWN"
},
"title": "lte-pic32-writer\u0027s sendto.txt may disclose URL and the API key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46723",
"datePublished": "2023-10-31T15:34:44.646Z",
"dateReserved": "2023-10-25T14:30:33.750Z",
"dateUpdated": "2024-09-05T20:14:13.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28854 (GCVE-0-2023-28854)
Vulnerability from nvd – Published: 2023-04-03 17:55 – Updated: 2025-02-11 14:35
VLAI
Title
nophp vulnerable to shell command injection on httpd user when sending a password-setting mail or mail-login mail
Summary
nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/paijp/nophp/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/paijp/nophp/commit/e5409aa2d44… | x_refsource_MISC |
| https://github.com/paijp/nophp/releases/tag/v0.0.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm"
},
{
"name": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa"
},
{
"name": "https://github.com/paijp/nophp/releases/tag/v0.0.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/paijp/nophp/releases/tag/v0.0.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:35:39.425232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:35:47.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nophp",
"vendor": "paijp",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-03T17:55:56.789Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm"
},
{
"name": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa"
},
{
"name": "https://github.com/paijp/nophp/releases/tag/v0.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/paijp/nophp/releases/tag/v0.0.1"
}
],
"source": {
"advisory": "GHSA-9858-q3c2-9wwm",
"discovery": "UNKNOWN"
},
"title": "nophp vulnerable to shell command injection on httpd user when sending a password-setting mail or mail-login mail"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28854",
"datePublished": "2023-04-03T17:55:56.789Z",
"dateReserved": "2023-03-24T16:25:34.468Z",
"dateUpdated": "2025-02-11T14:35:47.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-46723 (GCVE-0-2023-46723)
Vulnerability from cvelistv5 – Published: 2023-10-31 15:34 – Updated: 2024-09-05 20:14
VLAI
Title
lte-pic32-writer's sendto.txt may disclose URL and the API key
Summary
lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`.
Severity
8.9 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-538 - Insertion of Sensitive Information into Externally-Accessible File or Directory
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/paijp/lte-pic32-writer/securit… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| paijp | lte-pic32-writer |
Affected:
<= 0.0.1
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T20:53:21.321Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-46723",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-05T20:13:54.160029Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-05T20:14:13.094Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "lte-pic32-writer",
"vendor": "paijp",
"versions": [
{
"status": "affected",
"version": "\u003c= 0.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "lte-pic32-writer is a writer for PIC32 devices. In versions 0.0.1 and prior, those who use `sendto.txt` are vulnerable to attackers who known the IMEI reading the sendto.txt. The sendto.txt file can contain the SNS(such as slack and zulip) URL and API key. As of time of publication, a patch is not yet available. As workarounds, avoid using `sendto.txt` or use `.htaccess` to block access to `sendto.txt`."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-538",
"description": "CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-10-31T15:34:44.646Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/paijp/lte-pic32-writer/security/advisories/GHSA-9qgg-ph2v-v4mh"
}
],
"source": {
"advisory": "GHSA-9qgg-ph2v-v4mh",
"discovery": "UNKNOWN"
},
"title": "lte-pic32-writer\u0027s sendto.txt may disclose URL and the API key"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-46723",
"datePublished": "2023-10-31T15:34:44.646Z",
"dateReserved": "2023-10-25T14:30:33.750Z",
"dateUpdated": "2024-09-05T20:14:13.094Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-28854 (GCVE-0-2023-28854)
Vulnerability from cvelistv5 – Published: 2023-04-03 17:55 – Updated: 2025-02-11 14:35
VLAI
Title
nophp vulnerable to shell command injection on httpd user when sending a password-setting mail or mail-login mail
Summary
nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php.
Severity
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/paijp/nophp/security/advisorie… | x_refsource_CONFIRM |
| https://github.com/paijp/nophp/commit/e5409aa2d44… | x_refsource_MISC |
| https://github.com/paijp/nophp/releases/tag/v0.0.1 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T13:51:38.395Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm"
},
{
"name": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa"
},
{
"name": "https://github.com/paijp/nophp/releases/tag/v0.0.1",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/paijp/nophp/releases/tag/v0.0.1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-28854",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-11T14:35:39.425232Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-11T14:35:47.164Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "nophp",
"vendor": "paijp",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as `env_patchsample230330.php` to env.php."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-04-03T17:55:56.789Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm"
},
{
"name": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa"
},
{
"name": "https://github.com/paijp/nophp/releases/tag/v0.0.1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/paijp/nophp/releases/tag/v0.0.1"
}
],
"source": {
"advisory": "GHSA-9858-q3c2-9wwm",
"discovery": "UNKNOWN"
},
"title": "nophp vulnerable to shell command injection on httpd user when sending a password-setting mail or mail-login mail"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2023-28854",
"datePublished": "2023-04-03T17:55:56.789Z",
"dateReserved": "2023-03-24T16:25:34.468Z",
"dateUpdated": "2025-02-11T14:35:47.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}