CVE-2023-23596

Name of the Vulnerable Software and Affected Versions NGINX Proxy Manager versions 2.9.19 and earlier

Description The issue allows OS command injection when creating an access list. The backend builds an htpasswd file with crafted username and/or password input that is concatenated without any validation, and is directly passed to the exec command, potentially allowing an authenticated attacker to execute arbitrary commands on the system.

Recommendations For NGINX Proxy Manager versions 2.9.19 and earlier, update to a version later than 2.9.19 to resolve the issue. As a temporary workaround, consider restricting access to the exec command and validating any user input for the username and password variables to minimize the risk of exploitation.