CVE-2023-53922

TinyWebGallery version 2.5 suffers from a remote code execution vulnerability in its admin upload functionality, classified as CVE-2023-53922 with CWE-434 (Unrestricted Upload of File with Dangerous Type). This flaw enables unauthenticated attackers to upload malicious PHP files, specifically .phar files containing embedded system commands. By subsequently accessing the URL of the uploaded file, attackers can trigger execution of arbitrary code on the server. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and lack of required privileges.

Unauthenticated remote attackers can exploit this vulnerability directly over the network without user interaction. The attack involves leveraging the unrestricted admin upload feature to place a malicious .phar file on the server, followed by a simple HTTP request to its URL, resulting in immediate code execution with the privileges of the web server process. Successful exploitation grants attackers high confidentiality, integrity, and availability impacts, potentially leading to full server compromise, data theft, or further lateral movement.

Advisories and references, including those from VulnCheck (https://www.vulncheck.com/advisories/tinywebgallery-remote-code-execution-via-unrestricted-file-upload) and Exploit-DB (https://www.exploit-db.com/exploits/51443), detail the vulnerability and provide proof-of-concept exploits. The official TinyWebGallery site (http://www.tinywebgallery.com/) is also referenced, though no specific patches or mitigations for version 2.5 are detailed in the available information. Security practitioners should review these resources for remediation guidance, such as upgrading to a patched version if available or implementing file upload restrictions.

A public proof-of-concept exploit is available on Exploit-DB, highlighting the risk of real-world exploitation against exposed TinyWebGallery v2.5 instances.