exploitDog

CVE-2023-53895

Опубликовано: 16 дек. 2025

Источник: nvd

CVSS3: 9.8

EPSS Низкий

Описание

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

Ссылки

https://github.com/potsky/PimpMyLog
Product
https://www.exploit-db.com/exploits/51593
Exploit
Third Party Advisory
VDB Entry
https://www.pimpmylog.com/
Product
https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:potsky:pimp_my_log:1.7.14:*:*:*:*:*:*:*

EPSS

Процентиль: 67%

0.00552

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-285

Связанные уязвимости

GHSA-v3r2-q367-cjqr

CVSS3: 9.8

github

около 2 месяцев назад

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

EPSS

Процентиль: 67%

0.00552

Низкий

9.8 Critical

CVSS3

Дефекты

CWE-285