CVE-2023-53895

Sažetak

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

Reference

https://github.com/potsky/PimpMyLog
https://www.exploit-db.com/exploits/51593
https://www.pimpmylog.com/
https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint

CVSS

Base:	9.8
Impact:	5.9
Exploitability:	3.9

Pristup

Vektor	Složenost	Autentikacija
NETWORK	LOW	NONE

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	HIGH	HIGH

CVSS vektor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Zadnje važnije ažuriranje

18-12-2025 - 15:08

Objavljeno

16-12-2025 - 17:16