CVE-2023-46474 – This vulnerability in PMB v7.4.8 allows remote ... (How to Fix)

Q: What is the severity of CVE-2023-46474?

CVE-2023-46474 has a CVSS score of 7.2 (HIGH). This vulnerability in PMB v7.4.8 allows remote attackers to upload malicious PHP files through the start_import.php endpoint, leading to arbitrary code execution and privilege escalation. Any organization running the vulnerable version of PMB is affected.

📋 TL;DR

This vulnerability in PMB v7.4.8 allows remote attackers to upload malicious PHP files through the start_import.php endpoint, leading to arbitrary code execution and privilege escalation. Any organization running the vulnerable version of PMB is affected.

💻 Affected Systems

Products:

PMB (PhpMyBibli)

Versions: 7.4.8

Operating Systems: All platforms running PHP

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the default installation of PMB v7.4.8.

📦 What is this software?

Pmb by Sigb

View all CVEs affecting Pmb →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise with attacker gaining full administrative control, data exfiltration, and persistent backdoor installation.

🟠

Likely Case

Unauthorized file upload leading to web shell deployment, data manipulation, and lateral movement within the network.

🟢

If Mitigated

Attack blocked at web application firewall or file upload validation layer with no impact.

🌐 Internet-Facing: HIGH - Directly exploitable via HTTP requests without authentication.

🏢 Internal Only: MEDIUM - Still exploitable by internal attackers or compromised internal systems.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Public exploit code is available on GitHub, making exploitation trivial for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 7.4.9 or later

Vendor Advisory: http://pmb.com

Restart Required: No

Instructions:

1. Backup your PMB installation and database. 2. Download the latest version from the official PMB website. 3. Replace the vulnerable files with patched versions. 4. Verify the update by checking the version number.

🔧 Temporary Workarounds

Restrict File Upload Types

all

Configure web server to block PHP file uploads to the import directory

# For Apache: Add to .htaccess in upload directory
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>
# For Nginx: Add to server block
location ~* \.php$ {
    deny all;
}

Disable start_import.php

linux

Temporarily disable the vulnerable endpoint

mv /path/to/pmb/start_import.php /path/to/pmb/start_import.php.disabled

🧯 If You Can't Patch

Implement strict file upload validation at the application layer
Deploy a web application firewall with file upload protection rules

🔍 How to Verify

Check if Vulnerable:

Check if PMB version is 7.4.8 by examining the application interface or configuration files.

Check Version:

grep -r 'version' /path/to/pmb/configuration/files/ or check PMB admin interface

Verify Fix Applied:

Verify the version has been updated to 7.4.9 or later and test file upload functionality with PHP files.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads to start_import.php
PHP file uploads in web server access logs
Multiple failed upload attempts

Network Indicators:

HTTP POST requests to /start_import.php with file uploads
Unusual outbound connections from web server

SIEM Query:

source="web_server_logs" AND (uri="/start_import.php" AND method="POST" AND file_extension="php")

📊 Metadata

CVE ID: CVE-2023-46474

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-434

Published: January 11, 2024

Last Updated: June 3, 2025

🔗 References

http://pmb.com Not Applicable
https://github.com/Xn2/CVE-2023-46474 Exploit,Mitigation,Third Party Advisory
http://pmb.com Not Applicable
https://github.com/Xn2/CVE-2023-46474 Exploit,Mitigation,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-46474, you might also want to check these: