Detections
Analytics

CVE-2023-53895

critical

Description

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

References

https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint

https://www.pimpmylog.com/

https://www.exploit-db.com/exploits/51593

https://github.com/potsky/PimpMyLog

Details

Source: Mitre, NVD

Published: 2025-12-16

Updated: 2025-12-16

Risk Information

CVSS v2

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Severity: Critical

CVSS v3

Base Score: 9.8

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Severity: Critical

CVSS v4

Base Score: 9.3

Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Severity: Critical