CVE-2023-53894

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53894
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53894.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53894
Published
2025-12-16T17:16:01.550Z
Modified
2026-04-10T05:07:18.475221Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.

References

Affected packages

Git / github.com/dulldusk/phpfm

Affected ranges

Type
GIT
Repo
https://github.com/dulldusk/phpfm
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
ea745d380796350ea3264c91ba92ebe788036f40
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.9"
        }
    ]
}

Affected versions

v1.*
v1.61
v1.7
v1.7.1
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53894.json"