CVE-2023-38874
Published: 28 September 2023
Summary
CVE-2023-38874 is a high-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Economizzer Economizzer. Its CVSS base score is 8.8 (High).
Operationally, ranked in the top 4.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-38874 is a remote code execution vulnerability arising from insecure file upload handling in gugoan's Economizzer version 0.9-beta1 and commit 3730880 from April 2023. The affected component permits an attacker to upload a PHP web shell as an attachment when adding a new cash book entry, after which the shell can be directly accessed to run arbitrary commands on the server.
An authenticated attacker with low privileges can exploit the flaw over the network with no user interaction required, resulting in full control over the application and underlying host. The issue is tracked under CWE-434 and carries a CVSS 3.1 base score of 8.8 reflecting high impact to confidentiality, integrity, and availability.
The listed references consist of public GitHub repositories for the Economizzer project and associated vulnerability research; they contain no details on official patches or mitigation steps. The EPSS score has remained flat at a peak and current value of 0.2051 with no material rise observed after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2568
Vulnerability details
A remote code execution (RCE) vulnerability via an insecure file upload exists in gugoan's Economizzer v.0.9-beta1 and commit 3730880 (April 2023). A malicious attacker can upload a PHP web shell as an attachment when adding a new cash book entry.…
more
Afterwards, the attacker may visit the web shell and execute arbitrary commands.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.