Login Sign Up

CVE-2023-26968

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

CVE-2023-26968 is an unauthenticated file upload vulnerability in Atrocore 1.5.25 that allows attackers to upload arbitrary files without authentication. This affects all Atrocore 1.5.25 installations with the vulnerable Create Import Feed feature enabled, potentially leading to remote code execution.

💻 Affected Systems

Products:
  • Atrocore
Versions: 1.5.25
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires the Create Import Feed feature to be accessible, which appears to be enabled by default.

📦 What is this software?

Atrocore by Atrocore

View all CVEs affecting Atrocore →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, and lateral movement within the network.

🟠

Likely Case

Webshell deployment allowing persistent access, data exfiltration, and further exploitation of the server.

🟢

If Mitigated

File upload attempts blocked at network perimeter or application firewall, limiting impact to failed upload attempts.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit code exists in GitHub repositories, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Disable Create Import Feed Feature

all

Remove or disable the vulnerable glyphicon-glyphicon-paperclip function in the Create Import Feed option.

# Edit Atrocore configuration to disable vulnerable feature
# Specific commands depend on Atrocore implementation

Implement File Upload Restrictions

all

Configure web server or application to restrict file uploads to authenticated users only.

# Configure .htaccess or web server rules to restrict access
# Example: Require valid-user for upload endpoints

🧯 If You Can't Patch

  • Implement network segmentation to isolate Atrocore instances from critical systems
  • Deploy web application firewall (WAF) with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Attempt unauthenticated file upload to the Create Import Feed endpoint. If successful, system is vulnerable.

Check Version:

# Check Atrocore version in application interface or configuration files

Verify Fix Applied:

Verify that unauthenticated file upload attempts are rejected and only authenticated users can upload files.

📡 Detection & Monitoring

Log Indicators:

  • Unauthenticated POST requests to upload endpoints
  • File upload attempts with suspicious extensions (.php, .jsp, .asp)

Network Indicators:

  • Unusual file upload traffic patterns
  • POST requests to /import-feed or similar endpoints without authentication

SIEM Query:

source="web_logs" AND (uri_path="/import-feed" OR uri_path="*upload*") AND http_method="POST" AND user="-"

📊 Metadata

CVE ID: CVE-2023-26968
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: March 29, 2023
Last Updated: February 18, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-26968, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)