CVE-2023-53895

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2023-53895
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53895.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2023-53895
Published
2025-12-16T17:16:01.740Z
Modified
2026-04-10T05:07:27.267913Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator
Summary
[none]
Details

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables.

References

Affected packages

Git / github.com/potsky/pimpmylog

Affected ranges

Type
GIT
Repo
https://github.com/potsky/pimpmylog
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
2fed8c1fcedb023dfa0e63df48fb20996a40a76c
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.7.14"
        }
    ]
}

Affected versions

v1.*
v1.1.1
v1.2.1
v1.3.0
v1.5.0
v1.5.1
v1.5.2
v1.6.0
v1.6.2
v1.6.3
v1.6.4
v1.7.0
v1.7.1
v1.7.10
v1.7.11
v1.7.12
v1.7.13
v1.7.14
v1.7.2
v1.7.3
v1.7.4
v1.7.5
v1.7.6
v1.7.7
v1.7.8
v1.7.9

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-53895.json"