Main Vulnerability Database Vulnerabilities #VU83293

PHP file inclusion in Bumsys - CVE-2023-2551

Published: November 20, 2023

Vulnerability identifier: #VU83293

CSH Severity: High

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Amber

CVE-ID: CVE-2023-2551

CWE-ID: CWE-98

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Bumsys

Software vendor:
unilogies

Description

The vulnerability allows a remote user to include and execute arbitrary PHP files on the server.

The vulnerability exists due to incorrect input validation when including PHP files. A remote user with a valid API key can send a specially crafted HTTP request to the affected application, include and execute arbitrary PHP code on the system with privileges of the web server.

Remediation

Install updates from vendor's website.

External links

https://github.com/unilogies/bumsys/commit/86e29dd23df348ec6075f0c0de8e06b8d9fb0a9a
https://huntr.dev/bounties/5723613c-55c6-4f18-9ed3-61ad44f5de9c

PHP file inclusion in Bumsys - CVE-2023-2551

Description

Remediation

External links

Please verify you're human