CVE-2023-37629
Published: 12 July 2023
Summary
CVE-2023-37629 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Simple Online Piggery Management System Project Simple Online Piggery Management System. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 0.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
Online Piggery Management System 1.0 contains an unrestricted file upload vulnerability (CWE-434) that permits an unauthenticated remote attacker to upload arbitrary PHP files by issuing a POST request to the add-pig.php endpoint. The flaw carries a CVSS 3.1 base score of 9.8, reflecting network-accessible exploitation with no required credentials or user interaction and full impact on confidentiality, integrity, and availability.
An attacker can therefore upload and execute a web shell or other malicious PHP code, resulting in complete compromise of the affected application and underlying server. Public proof-of-concept material on Packet Storm and GitHub demonstrates the unauthenticated upload vector against the freely distributed SourceCodester package.
The listed references consist of exploit disclosures and a vendor download link but contain no official patch, advisory, or mitigation guidance. The EPSS score has remained elevated, with a current value of 0.8715 and a recorded peak of 0.9082.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-41510
Vulnerability details
Online Piggery Management System 1.0 is vulnerable to File Upload. An unauthenticated user can upload a php file by sending a POST request to "add-pig.php."
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.