CVE-2023-53942

File Thingie version 2.5.7 is affected by CVE-2023-53942, an authenticated file upload vulnerability classified under CWE-434 (Unrestricted Upload of File with Dangerous Type). The flaw enables remote attackers to upload malicious PHP zip archives directly to the web server. Once uploaded, attackers can unzip the archive and leverage a crafted PHP script with a command parameter to execute arbitrary system commands, earning a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Attackers require low-privilege authenticated access (PR:L) to exploit this vulnerability over the network with no user interaction. By crafting a custom PHP payload within a zip archive, they can upload it via the vulnerable file upload functionality, extract it on the server, and invoke remote code execution (RCE) through the command parameter in the PHP script. Successful exploitation grants high confidentiality, integrity, and availability impacts, potentially leading to full server compromise.

Advisories and proof-of-concept exploits detail the issue, including a public exploit at Exploit-DB (ID 51436) and a Vulncheck advisory on the authenticated arbitrary file upload leading to RCE. The project's GitHub repository at https://github.com/leefish/filethingie provides further context on the software. No specific patch details are outlined in the available information.