Cyber Resilience

CVE-2023-38874

HighPublic PoC

Published: 28 September 2023

Published
28 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.2051 95.7th percentile
Risk Priority 30 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-38874 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Economizzer Economizzer. Its CVSS base score is 8.8 (High).

Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

CVE-2023-38874 is a remote code execution vulnerability arising from insecure file upload handling in gugoan's Economizzer version 0.9-beta1 and commit 3730880 from April 2023. The affected component permits an attacker to upload a PHP web shell as an attachment when adding a new cash book entry, after which the shell can be directly accessed to run arbitrary commands on the server.

An authenticated attacker with low privileges can exploit the flaw over the network with no user interaction required, resulting in full control over the application and underlying host. The issue is tracked under CWE-434 and carries a CVSS 3.1 base score of 8.8 reflecting high impact to confidentiality, integrity, and availability.

The listed references consist of public GitHub repositories for the Economizzer project and associated vulnerability research; they contain no details on official patches or mitigation steps. The EPSS score has remained flat at a peak and current value of 0.2051 with no material rise observed after disclosure.

EU & UK References

Vulnerability details

A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry.…

more

Afterwards, the attacker may visit the web shell and execute arbitrary commands.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

economizzer
economizzer
0.9, april_2023

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References