Cyber Resilience

CVE-2023-28854

HighRCE

Published: 03 April 2023

Published
03 April 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.0 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0761 92.0th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-28854 is a high-severity Command Injection (CWE-77) vulnerability in Nophp Project Nophp. Its CVSS base score is 8.0 (High).

Operationally, ranked in the top 8.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

nophp is a PHP web framework that is vulnerable to shell command injection prior to version 0.0.1. The flaw, tracked as CWE-77, allows an attacker to execute arbitrary commands in the context of the httpd user and carries a CVSS 3.1 score of 8.0.

An authenticated user with limited privileges can supply crafted input that reaches the vulnerable code path, resulting in command execution that yields full control over files and processes accessible to the web server account.

The project addressed the issue in commit e5409aa2d441789cbb35f6b119bef97ecc3986aa, released as version 0.0.1 on 30 March 2023. The advisory recommends updating index.php to that date or later; as a workaround, administrators can add a function such as env_patchsample230330.php to env.php.

The associated EPSS score has remained flat at 0.0761 with no material increase after disclosure.

EU & UK References

Vulnerability details

nophp is a PHP web framework. Prior to version 0.0.1, nophp is vulnerable to shell command injection on httpd user. A patch was made available at commit e5409aa2d441789cbb35f6b119bef97ecc3986aa on 2023-03-30. Users should update index.php to 2023-03-30 or later or, as…

more

a workaround, add a function such as `env_patchsample230330.php` to env.php.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

nophp project
nophp
≤ 0.0.1

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References