Cyber Resilience

CVE-2023-45856

CriticalPublic PoC

Published: 14 October 2023

Published
14 October 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0659 91.4th percentile
Risk Priority 24 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-45856 is a critical-severity Unrestricted Upload of File with Dangerous Type (CWE-434) vulnerability in Qdpm Qdpm. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 8.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

qdPM version 9.2 contains an unrestricted file upload vulnerability classified under CWE-434. The flaw resides in the Add Attachments function of the Edit Project feature, which permits an unauthenticated user to upload a PHP file directly to the /uploads directory without any server-side validation or access control checks. The resulting CVSS 9.8 score reflects network-exploitable remote code execution with full confidentiality, integrity, and availability impact.

An attacker can exploit the issue by navigating to an Edit Project page, attaching a crafted .php payload, and then invoking the uploaded file via its predictable URI. Successful execution grants arbitrary command execution on the underlying web server, enabling complete system compromise without requiring credentials or user interaction.

No vendor advisory or patch information is supplied in the available references. The associated EPSS score has remained flat at 0.0659 since disclosure, indicating no material increase in observed exploitation activity.

EU & UK References

Vulnerability details

qdPM 9.2 allows remote code execution by using the Add Attachments feature of Edit Project to upload a .php file to the /uploads URI.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qdpm
qdpm
9.2

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-434

Requiring identifiable owners for portable devices reduces the attack surface for unrestricted uploads of dangerous file types via anonymous media.

addresses: CWE-434

Dangerous file uploads can be detonated in the chamber to determine malice before any production write or execution occurs.

addresses: CWE-434

Prevents unrestricted writing of arbitrary or malicious firmware by keeping hardware write-protect enabled except under tightly controlled manual procedures.

addresses: CWE-434

Scans files from external sources on download/open/execute, blocking unrestricted uploads of dangerous file types.

References