CVE-2023-53892
BaseFortify
Publication date: 2025-12-15
Last updated on: 2025-12-17
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| blackcat-cms | blackcat_cms | 1.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Blackcat CMS 1.4 allows authenticated administrators to upload malicious PHP files via the jQuery plugin manager. Specifically, an attacker with admin access can upload a ZIP file containing a PHP shell script. Once uploaded, the attacker can execute arbitrary system commands on the server by accessing the uploaded PHP file with a 'code' parameter. This happens because the system does not properly validate or sanitize uploaded plugin files, enabling remote code execution under the web server's privileges. [1, 2]
How can this vulnerability impact me? :
This vulnerability can lead to remote code execution on the server hosting Blackcat CMS, allowing an attacker with admin credentials to run arbitrary system commands. This can compromise the confidentiality, integrity, and availability of the system, potentially leading to data theft, system manipulation, or denial of service. Since the attacker needs authenticated admin access, the impact is severe if such credentials are compromised or misused. [1, 2]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Blackcat CMS version 1.4 is running and if the jQuery plugin manager endpoint is accessible. Specifically, you can verify if an uploaded malicious PHP file exists in the directory `/upload/modules/lib_jquery/plugins/poc/`. To detect exploitation, you can look for HTTP requests to URLs like `/upload/modules/lib_jquery/plugins/poc/poc.php?code=<command>`. Additionally, monitoring for unusual POST requests to `/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr` that upload ZIP files containing PHP scripts can help detect attempts. Example commands include using curl or wget to test the upload endpoint (with authenticated admin session) and checking for the presence of suspicious files on the server. For example, on the server, you can run: `find /path/to/blackcatcms/upload/modules/lib_jquery/plugins/ -name '*.php'` to find unexpected PHP files. Also, monitoring web server logs for access to `poc.php` with query parameters can indicate exploitation attempts. [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the jQuery plugin manager to trusted administrators only, ensuring that only authorized users can upload plugins. Applying patches or updates from the vendor that fix the unrestricted file upload vulnerability is critical. If no patch is available, disable or restrict the plugin upload functionality temporarily. Additionally, scan the server for any uploaded malicious PHP files in the plugin directories and remove them. Implement web application firewall (WAF) rules to block suspicious upload attempts and access to uploaded PHP files with query parameters that execute system commands. Finally, monitor logs for any signs of exploitation and consider isolating or taking the affected system offline until it is secured. [1, 2]