CVE-2023-53895

Name of the Vulnerable Software and Affected Versions PimpMyLog version 1.7.14

Description The software contains an improper access control issue that allows remote attackers to create administrator accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially access sensitive server-side log information and environmental variables. The vulnerable endpoint is '/configuration'.

Recommendations Apply appropriate input sanitization and validation to the username field in the '/configuration' endpoint. Restrict access to the '/configuration' endpoint to authorized personnel only.