CVE-2023-45856
Published: 14 October 2023
Summary
CVE-2023-45856 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Qdpm Qdpm. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
qdPM version 9.2 contains an unrestricted file upload vulnerability classified under CWE-434. The flaw resides in the Add Attachments function of the Edit Project feature, which permits an unauthenticated user to upload a PHP file directly to the /uploads directory without any server-side validation or access control checks. The resulting CVSS 9.8 score reflects network-exploitable remote code execution with full confidentiality, integrity, and availability impact.
An attacker can exploit the issue by navigating to an Edit Project page, attaching a crafted .php payload, and then invoking the uploaded file via its predictable URI. Successful execution grants arbitrary command execution on the underlying web server, enabling complete system compromise without requiring credentials or user interaction.
No vendor advisory or patch information is supplied in the available references. The associated EPSS score has remained flat at 0.0659 since disclosure, indicating no material increase in observed exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-50125
Vulnerability details
qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.
Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.
Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.
Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.