Home > Vulnerability Database > CVE-2023-50982

Mend.io Vulnerability Database

CVE-2023-50982

Date: January 7, 2024

Stud.IP 5.x through 5.3.3 allows XSS with resultant upload of executable files, because upload_action and edit_action in Admin_SmileysController do not check the file extension. This leads to remote code execution with the privileges of the www-data user. The fixed versions are 5.3.4, 5.2.6, 5.1.7, and 5.0.9.

Language: PHP

Severity Score

9.0

Related Resources (5)

Url: https://sourceforge.net/projects/studip/files/Stud.IP/5.4/

Url: https://gitlab.studip.de/studip/studip/-/tags

Url: https://rehmeinfosec.de/labor/cve-2023-50982

Url: https://nvd.nist.gov/vuln/detail/CVE-2023-50982

Url: https://www.mend.io/vulnerability-database/CVE-2023-50982

Severity Score

9.0

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Unrestricted Upload of File with Dangerous Type

CWE-434

CVSS v3.1

Base Score:	9.0
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

Mend.io Vulnerability Database

We found results for “”

CVE-2023-50982

Date: January 7, 2024

Language: PHP

Severity Score

Related Resources (5)

Severity Score

Weakness Type (CWE)

CVSS v3.1

Do you need more information?