CVE-2023-53924

High CVSS: 8.7

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.

Vendor

Ulicms

Product

Ulicms

CWE

CWE-434

Yayın Tarihi

2025-12-17 23:15:51

Güncelleme

2025-12-18 19:38:40

Source Identifier

disclosure@vulncheck.com

KEV Date Added

Kategoriler

CWE-434 Ulicms HIGH Ulicms 2025

Referanslar

https://web.archive.org/web/20230314183734/https://en.ulicms.de/ https://www.exploit-db.com/exploits/51434 https://www.vulncheck.com/advisories/ulicms-sniffing-vicuna-remote-code-execution-via-avatar-upload https://www.exploit-db.com/exploits/51434

Benzer Kayıtlar

Critical

CVE-2023-53923

UliCMS 2023.1 contains a privilege escalation vulnerability that allows unauthenticated attackers to create administrati…

Medium

CVE-2023-53925

UliCMS 2023.1 contains a stored cross-site scripting vulnerability that allows attackers to upload malicious SVG files w…

Critical

CVE-2023-53914

UliCMS 2023.1 contains an authentication bypass vulnerability that allows unauthenticated attackers to create admin user…