Cyber Resilience

CVE-2023-0789

HighRCE

Published: 12 February 2023

Published
12 February 2023
Modified
21 March 2025
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS Score 0.0776 92.1th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-0789 is a high-severity Command Injection (CWE-77) vulnerability in Phpmyfaq Phpmyfaq. Its CVSS base score is 8.1 (High).

Operationally, ranked in the top 7.9% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

CVE-2023-0789 is a command injection vulnerability, tracked as CWE-77, that affects the phpMyFAQ application in the thorsten/phpmyfaq GitHub repository for all versions prior to 3.1.11. The flaw stems from insufficient neutralization of special elements in commands and carries a CVSS 3.1 base score of 8.1 reflecting network attack vector, low complexity, and low required privileges.

An authenticated attacker with low privileges can send crafted input over the network to execute arbitrary system commands, resulting in high impact to confidentiality and integrity on the underlying server while leaving availability unaffected.

The issue was resolved by a specific commit in the repository that patches the command injection path, with the fix publicly referenced in the associated huntr.dev bounty report; administrators should upgrade to phpMyFAQ 3.1.11 or apply the equivalent patch.

EPSS for the CVE has remained flat at 0.0776 with no material rise after disclosure.

EU & UK References

Vulnerability details

Command Injection in GitHub repository thorsten/phpmyfaq prior to 3.1.11.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

phpmyfaq
phpmyfaq
≤ 3.1.11

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References