CVE-2023-28854
Published: 03 April 2023
Summary
CVE-2023-28854 is a high-severity Command Injection (CWE-77) vulnerability in Nophp Project Nophp. Its CVSS base score is 8.0 (High).
Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
nophp is a PHP web framework that is vulnerable to shell command injection prior to version 0.0.1. The flaw, tracked as CWE-77, allows an attacker to execute arbitrary commands in the context of the httpd user and carries a CVSS 3.1 score of 8.0.
An authenticated user with limited privileges can supply crafted input that reaches the vulnerable code path, resulting in command execution that yields full control over files and processes accessible to the web server account.
The project addressed the issue in commit e5409aa2d441789cbb35f6b119bef97ecc3986aa, released as version 0.0.1 on 30 March 2023. The advisory recommends updating index.php to that date or later; as a workaround, administrators can add a function such as env_patchsample230330.php to env.php.
The associated EPSS score has remained flat at 0.0761 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-32478
Vulnerability details
nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as…
more
a workaround, add a function such as `env_patchsample230330.php` to env.php.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.