← volver
CVE-2023-23596

CVE-2023-23596

CVSS 8.8 HIGHEPSS 15.2%CWE-78
Vexday Risk Score
26Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 8.8EPSS 15.2%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
20 ene 2023Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
jc21 NGINX Proxy Manager through 2.9.19 allows OS command injection. When creating an access list, the backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system. NOTE: this is not part of any NGINX software shipped by F5.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Productos afectados
n/a · n/a

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://advisory.dw1.io/57https://github.com/NginxProxyManager/nginx-proxy-manager/blob/4f10d129c20cc82494b95cc94b97f859dbd4b54d/backend/internal/access-list.js#L510