cnvd - cnvd-2023-86326

CNVD-2023-86326

Vulnerability from cnvd - Published: 2023-11-14

Title

Company Website CMS文件上传漏洞

Description

Company Website CMS是一个公司网站CMS。 Company Website CMS v1.0版本存在文件上传漏洞。该漏洞源于应用对上传的文件缺少有效的验证。攻击者可利用该漏洞上传恶意文件从而远程执行任意代码。

Severity

中

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://vuldb.com/?ctiid.244310

Reference

https://nvd.nist.gov/vuln/detail/CVE-2023-5919

Impacted products

Name
Company Website CMS Company Website CMS 1.0

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2023-5919",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2023-5919"
    }
  },
  "description": "Company Website CMS\u662f\u4e00\u4e2a\u516c\u53f8\u7f51\u7ad9CMS\u3002\n\nCompany Website CMS v1.0\u7248\u672c\u5b58\u5728\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e\u3002\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5e94\u7528\u5bf9\u4e0a\u4f20\u7684\u6587\u4ef6\u7f3a\u5c11\u6709\u6548\u7684\u9a8c\u8bc1\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\u4ece\u800c\u8fdc\u7a0b\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://vuldb.com/?ctiid.244310",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2023-86326",
  "openTime": "2023-11-14",
  "products": {
    "product": "Company Website CMS Company Website CMS 1.0"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2023-5919",
  "serverity": "\u4e2d",
  "submitTime": "2023-11-06",
  "title": "Company Website CMS\u6587\u4ef6\u4e0a\u4f20\u6f0f\u6d1e"
}

CVE-2023-5919 (GCVE-0-2023-5919)

Vulnerability from cvelistv5 – Published: 2023-11-02 13:31 – Updated: 2025-02-27 18:51

Summary

A vulnerability was found in SourceCodester Company Website CMS 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /dashboard/createblog of the component Create Blog Page. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-244310 is the identifier assigned to this vulnerability.

Severity ?

4.7 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

4.7 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

CWE

CWE-434 - Unrestricted Upload

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.244310	vdb-entry
	https://vuldb.com/?ctiid.244310	signaturepermissions-required
	https://www.jianshu.com/p/a451953f36f1?v=1698808954608	exploit

Impacted products

	Vendor	Product	Version
	SourceCodester	Company Website CMS	Affected: 1.0

Credits

pursuithappiness (VulDB User)

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T08:14:25.078Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "vdb-entry",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?id.244310"
          },
          {
            "tags": [
              "signature",
              "permissions-required",
              "x_transferred"
            ],
            "url": "https://vuldb.com/?ctiid.244310"
          },
          {
            "tags": [
              "exploit",
              "x_transferred"
            ],
            "url": "https://www.jianshu.com/p/a451953f36f1?v=1698808954608"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2023-5919",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-02-27T18:50:37.659699Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-02-27T18:51:23.492Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "modules": [
            "Create Blog Page"
          ],
          "product": "Company Website CMS",
          "vendor": "SourceCodester",
          "versions": [
            {
              "status": "affected",
              "version": "1.0"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "analyst",
          "value": "pursuithappiness (VulDB User)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A vulnerability was found in SourceCodester Company Website CMS 1.0 and classified as problematic. Affected by this issue is some unknown functionality of the file /dashboard/createblog of the component Create Blog Page. The manipulation leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-244310 is the identifier assigned to this vulnerability."
        },
        {
          "lang": "de",
          "value": "Eine Schwachstelle wurde in SourceCodester Company Website CMS 1.0 gefunden. Sie wurde als problematisch eingestuft. Davon betroffen ist unbekannter Code der Datei /dashboard/createblog der Komponente Create Blog Page. Dank der Manipulation mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann \u00fcber das Netzwerk erfolgen. Der Exploit steht zur \u00f6ffentlichen Verf\u00fcgung."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 4.7,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 5.8,
            "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-434",
              "description": "CWE-434 Unrestricted Upload",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-11-02T13:31:06.780Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://vuldb.com/?id.244310"
        },
        {
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.244310"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://www.jianshu.com/p/a451953f36f1?v=1698808954608"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2023-11-02T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2023-11-02T01:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2023-11-02T09:22:39.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "SourceCodester Company Website CMS Create Blog Page createblog unrestricted upload"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2023-5919",
    "datePublished": "2023-11-02T13:31:06.780Z",
    "dateReserved": "2023-11-02T08:16:36.959Z",
    "dateUpdated": "2025-02-27T18:51:23.492Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2023-86326

CVE-2023-5919 (GCVE-0-2023-5919)

Tags

Sightings

Nomenclature