Lucene search

GitHub_MCVE-2023-28854

HistoryApr 03, 2023 - 6:15 p.m.

CVE-2023-28854

2023-04-0318:15:07

CWE-77

GitHub_M

web.nvd.nist.gov

nophp

web framework

php

cve-2023-28854

shell command injection

patch

security update

httpd user

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as a workaround, add a function such as env_patchsample230330.php to env.php.

Affected configurations

Nvd

Vulners

Node

nophp_projectnophpRange<0.0.1

VendorProductVersionCPE
nophp_projectnophp*cpe:2.3:a:nophp_project:nophp:*:*:*:*:*:*:*:*

Vendor	Product	Version	CPE
nophp_project	nophp	*	cpe:2.3:a:nophp_project:nophp::::::::

CNA Affected

[
  {
    "vendor": "paijp",
    "product": "nophp",
    "versions": [
      {
        "version": "< 0.0.1",
        "status": "affected"
      }
    ]
  }
]

References

github.com/paijp/nophp/commit/e5409aa2d441789cbb35f6b119bef97ecc3986aa

github.com/paijp/nophp/releases/tag/v0.0.1

github.com/paijp/nophp/security/advisories/GHSA-9858-q3c2-9wwm

CVSS3

8.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

AI Score

Confidence

High

EPSS

0.001

Percentile

42.8%

JSON

Related for CVE-2023-28854