cbcvebase.
CVE-2023-2453
published 2023-09-05

CVE-2023-2453: There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement…

PriorityP352high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.74%
49.9th percentile
There is insufficient sanitization of tainted file names that are directly concatenated with a path that is subsequently passed to a ‘require_once’ statement. This allows arbitrary files with the ‘.php’ extension for which the absolute path is known to be included and executed. There are no known means in PHPFusion through which an attacker can upload and target a ‘.php’ file payload.

Affected

2 ranges
VendorProductVersion rangeFixed in
php-fusionphpfusion<= 9.10.30
phpfusionphpfusion<= 9.10.30
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.