cbcvebase.
CVE-2023-0455
published 2023-01-26

CVE-2023-0455: Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.

PriorityP260high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
5.75%
92.1th percentile
Unrestricted Upload of File with Dangerous Type in GitHub repository unilogies/bumsys prior to v1.0.3-beta.

Affected

4 ranges
VendorProductVersion rangeFixed in
bumsys_projectbumsys
bumsys_projectbumsys
bumsys_projectbumsys
unilogiesunilogies_bumsys>= unspecified < v1.0.3-betav1.0.3-beta

Detection & IOCsextracted from sources · hover to see the quote

urlPOST /xhr/?module=settings&page=updateShop
urlhttps://demo.bumsys.org/settings/shop-list/
filenameprofile picture.php
  • Monitor multipart/form-data POST requests to /xhr/?module=settings&page=updateShop where the shopLogo field contains a filename with a server-side executable extension (e.g., .php) while the Content-Type is spoofed as image/png.
  • Alert on POST requests to the /xhr/ endpoint with query parameters module=settings&page=updateShop, particularly from external or unexpected origins, as this is the vulnerable file upload handler.
  • Detect file uploads where the declared Content-Type is an image type (e.g., image/png) but the filename extension is a PHP or other server-side script extension — a classic MIME-type bypass for unrestricted file upload.
  • Look for the presence of the X-Requested-With: XMLHttpRequest header combined with the X-Csrf-Token header on upload requests to /xhr/ — this is the expected request pattern for exploitation of this endpoint.
  • ·The exploit was demonstrated against bumsys v1.0.3-beta; versions prior to v1.0.3-beta are also stated as vulnerable per the NVD advisory. Confirm the patched version before assuming remediation.
  • ·The server responds with HTTP 200 and 'Shop successfully updated.' even when a malicious PHP file is uploaded, meaning HTTP response codes alone cannot be used to distinguish successful exploitation from a legitimate shop update.
  • ·The exploit was tested on Windows 11 with XAMPP-8.2.0 and a PHP/7.0.33 backend (Apache/2.4.51). Detection rules should account for this stack but the vulnerability is not inherently OS-specific.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv3.07.6HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.