CVE-2023-2453 - Vulnerability Details - OpenCVE

There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00159.

Exploitation none

Automatable no

Technical Impact total

Vendors	Products
Php-fusion	Phpfusion

Configuration 1 [-]

cpe:2.3:a:php-fusion:phpfusion:*:*:*:*:*:*:*:*

No data.

No data.

Advisories

Source	ID	Title
EUVD	EUVD-2023-33938	There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.

Fixes

Solution

No solution given by the vendor.

Workaround

Disabling the “Forum” Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.

References

Link	Providers
https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/

History

Fri, 27 Sep 2024 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: SNPS

Published: 2023-09-05T14:39:10.011Z

Updated: 2024-09-27T13:52:08.560Z

Reserved: 2023-05-01T16:45:27.226Z

Link: CVE-2023-2453

Vulnrichment

Updated: 2024-08-02T06:26:08.887Z

NVD

Status : Modified

Published: 2023-09-05T15:15:42.377

Modified: 2024-11-21T07:58:38.753

Link: CVE-2023-2453

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-2453", "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b", "state": "PUBLISHED", "assignerShortName": "SNPS", "dateReserved": "2023-05-01T16:45:27.226Z", "datePublished": "2023-09-05T14:39:10.011Z", "dateUpdated": "2024-09-27T13:52:08.560Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "PHPFusion", "repo": "https://github.com/PHPFusion/PHPFusion", "vendor": "PHPFusion", "versions": [{"lessThanOrEqual": "9.10.30", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Matthew Hogg"}], "datePublic": "2023-09-05T14:30:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a \u2018require_once\u2019 statement. This allows arbitrary files with the \u2018.php\u2019 extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a \u2018.php\u2019 file payload."}], "value": "There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a \u2018require_once\u2019 statement. This allows arbitrary files with the \u2018.php\u2019 extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a \u2018.php\u2019 file payload."}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b", "shortName": "SNPS", "dateUpdated": "2023-09-05T14:39:10.011Z"}, "references": [{"url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/"}], "source": {"discovery": "EXTERNAL"}, "title": "Local file Inclusion (LFI) in Forum Infusion via Directory Traversal", "workarounds": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Disabling the \u201cForum\u201d Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the \u201cForum\u201d Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n<br>"}], "value": "\nDisabling the \u201cForum\u201d Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the \u201cForum\u201d Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.\u00a0\n\n\n"}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:08.887Z"}, "title": "CVE Program Container", "references": [{"url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-09-27T13:51:57.602390Z", "id": "CVE-2023-2453", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T13:52:08.560Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T06:26:08.887Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-2453", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2024-09-27T13:51:57.602390Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-09-27T13:52:03.986Z"}}], "cna": {"title": "Local file Inclusion (LFI) in Forum Infusion via Directory Traversal", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "user": "00000000-0000-4000-9000-000000000000", "value": "Matthew Hogg"}], "impacts": [{"capecId": "CAPEC-252", "descriptions": [{"lang": "en", "value": "CAPEC-252 PHP Local File Inclusion"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/PHPFusion/PHPFusion", "vendor": "PHPFusion", "product": "PHPFusion", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "9.10.30"}], "defaultStatus": "affected"}], "datePublic": "2023-09-05T14:30:00.000Z", "references": [{"url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/"}], "workarounds": [{"lang": "en", "value": "\nDisabling the \u201cForum\u201d Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the \u201cForum\u201d Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.\u00a0\n\n\n", "supportingMedia": [{"type": "text/html", "value": "\n\n<span style=\"background-color: rgb(255, 255, 255);\">Disabling the \u201cForum\u201d Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the \u201cForum\u201d Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts.</span><span style=\"background-color: rgb(255, 255, 255);\"> </span>\n\n<br>", "base64": false}]}], "x_generator": {"engine": "Vulnogram 0.1.0-dev"}, "descriptions": [{"lang": "en", "value": "There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a \u2018require_once\u2019 statement. This allows arbitrary files with the \u2018.php\u2019 extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a \u2018.php\u2019 file payload.", "supportingMedia": [{"type": "text/html", "value": "There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a \u2018require_once\u2019 statement. This allows arbitrary files with the \u2018.php\u2019 extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a \u2018.php\u2019 file payload.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-829", "description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere"}]}], "providerMetadata": {"orgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b", "shortName": "SNPS", "dateUpdated": "2023-09-05T14:39:10.011Z"}}}, "cveMetadata": {"cveId": "CVE-2023-2453", "state": "PUBLISHED", "dateUpdated": "2024-09-27T13:52:08.560Z", "dateReserved": "2023-05-01T16:45:27.226Z", "assignerOrgId": "8cad7728-009c-4a3d-a95e-ca62e6ff8a0b", "datePublished": "2023-09-05T14:39:10.011Z", "assignerShortName": "SNPS"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:php-fusion:phpfusion:*:*:*:*:*:*:*:*", "matchCriteriaId": "593D7CFA-FF94-4476-98CF-C83A17292E94", "versionEndIncluding": "9.10.30", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a \u2018require_once\u2019 statement. This allows arbitrary files with the \u2018.php\u2019 extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a \u2018.php\u2019 file payload."}, {"lang": "es", "value": "La limpieza de nombres de archivo contaminados que se concatenan directamente con una ruta que posteriormente se pasa a una sentencia 'require_once' es insuficiente. Esto permite que se incluyan y ejecuten archivos arbitrarios con la extensi\u00f3n '.php' cuya ruta absoluta se conoce. No hay medios conocidos en PHPFusion a trav\u00e9s de los cuales un atacante pueda cargar y apuntar a una carga \u00fatil de archivo '.php'."}], "id": "CVE-2023-2453", "lastModified": "2024-11-21T07:58:38.753", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "disclosure@synopsys.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-05T15:15:42.377", "references": [{"source": "disclosure@synopsys.com", "tags": ["Third Party Advisory"], "url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/"}], "sourceIdentifier": "disclosure@synopsys.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-829"}], "source": "disclosure@synopsys.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-829"}], "source": "nvd@nist.gov", "type": "Primary"}]}