CVE-2023-53895

CriticalPublic PoC

Published: 16 December 2025

Published

16 December 2025

Modified

30 December 2025

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0074 73.1th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

PimpMyLog 1.7.14 contains an improper access control vulnerability that allows remote attackers to create admin accounts without authorization through the configuration endpoint. Attackers can exploit the unsanitized username field to inject malicious JavaScript, create a hidden backdoor account, and potentially…

access sensitive server-side log information and environmental variables.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on the configuration endpoint to prevent unauthorized admin account creation.

AC-2 Account Management good match

prevent

Requires management processes that prohibit unauthorized creation of admin accounts, including backdoor accounts.

SI-10 Information Input Validation partial match

prevent

Validates inputs to the username field to block malicious JavaScript injection during account creation.

Security SummaryAI

CVE-2023-53895 is an improper access control vulnerability (CWE-285) in PimpMyLog version 1.7.14. The flaw resides in the configuration endpoint, which permits remote attackers to create admin accounts without any authorization. Additionally, the unsanitized username field allows injection of malicious JavaScript, enabling further compromise.

Remote attackers require only network access to exploit this vulnerability, with no privileges, user interaction, or special conditions needed (CVSS v3.1 score of 9.8: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Successful exploitation lets attackers create hidden backdoor admin accounts via JavaScript injection, potentially granting access to sensitive server-side log information and environmental variables.

Advisories and resources, including the VulnCheck advisory at https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint, the project site at https://www.pimpmylog.com/, and GitHub repository at https://github.com/potsky/PimpMyLog, provide details on mitigation. A public proof-of-concept exploit is documented at https://www.exploit-db.com/exploits/51593.

Details

CWE(s): CWE-285

Affected Products

potsky

pimp my log

1.7.14

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an improper access control flaw in a public-facing web application's configuration endpoint, allowing unauthenticated remote attackers to create admin accounts, directly enabling T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/potsky/PimpMyLog
Product · disclosure@vulncheck.com
https://www.exploit-db.com/exploits/51593
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.pimpmylog.com/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/pimpmylog-improper-access-control-via-account-creation-endpoint
Third Party Advisory · disclosure@vulncheck.com