Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2023-2453
PUBLISHED
More InfoOfficial Page
Assigner-SNPS
Assigner Org ID-8cad7728-009c-4a3d-a95e-ca62e6ff8a0b
View Known Exploited Vulnerability (KEV) details
Published At-05 Sep, 2023 | 14:39
Updated At-27 Sep, 2024 | 13:52
Rejected At-
▼CVE Numbering Authority (CNA)
Local file Inclusion (LFI) in Forum Infusion via Directory Traversal

There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.

Affected Products
Vendor
PHPFusion
Product
PHPFusion
Repo
https://github.com/PHPFusion/PHPFusion
Default Status
affected
Versions
Affected
  • From 0 through 9.10.30 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-829CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Type: CWE
CWE ID: CWE-829
Description: CWE-829 Inclusion of Functionality from Untrusted Control Sphere
Metrics
VersionBase scoreBase severityVector
3.18.8HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Version: 3.1
Base score: 8.8
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Metrics Other Info
Impacts
CAPEC IDDescription
CAPEC-252CAPEC-252 PHP Local File Inclusion
CAPEC ID: CAPEC-252
Description: CAPEC-252 PHP Local File Inclusion
Solutions
Configurations
Workarounds

Disabling the “Forum” Infusion through the admin panel removes the endpoint through which this vulnerability is exploited, and so prevents the issue. If the “Forum” Infusion cannot be disabled, technologies such as a web application firewall may help to mitigate exploitation attempts. 

Exploits
Credits
finder
Matthew Hogg
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/
N/A
Hyperlink: https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/
Resource: N/A
▼Authorized Data Publishers (ADP)
1. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/
x_transferred
Hyperlink: https://www.synopsys.com/blogs/software-security/cyrc-vulnerability-advisory-cve-2023-2453/
Resource:
x_transferred
2. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found