CVE-2023-4122
Student Information System v1.0 - Insecure File Upload
Severity Score
8.8
*CVSS v3.1
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Student Information System v1.0 is vulnerable to an Insecure File Upload vulnerability on the 'photo' parameter of my-profile page, allowing an authenticated attacker to obtain Remote Code Execution on the server hosting the application.
Student Information System v1.0 es afectado por una vulnerabilidad de carga de archivos insegura en el parámetro 'foto' de la página de mi perfil, lo que permite a un atacante autenticado obtener la ejecución remota de código en el servidor que aloja la aplicación.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2023-08-02 CVE Reserved
- 2023-12-07 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-11-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-434: Unrestricted Upload of File with Dangerous Type
CAPEC
- CAPEC-650: Upload a Web Shell to a Web Server
References (2)
| URL | Tag | Source |
|---|---|---|
| https://www.kashipara.com | Product |
| URL | Date | SRC |
|---|---|---|
| https://fluidattacks.com/advisories/rubinstein | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Imsurajghosh Search vendor "Imsurajghosh" | Student Information System Search vendor "Imsurajghosh" for product "Student Information System" | 1.0 Search vendor "Imsurajghosh" for product "Student Information System" and version "1.0" | - |
Affected
| ||||||