CVE-2023-6026: Multiple vulnerabilities in PHPMemcachedAdmin

Affected Resources

• PHPMemcachedAdmin 1.3.0 version

Description

INCIBE has coordinated the publication of 3 vulnerabilities that affect PHPMemcachedAdmin, a stand-alone graphical management program for memcached for monitoring and debugging purposes, which have been discovered by Rafael Pedrero.

A estas vulnerabilidades se les han asignado los siguientes códigos, puntuación base CVSS v3.1, vector del CVSS y el tipo de vulnerabilidad CWE de cada vulnerabilidad:

• CVE-2023-6026: CVSS v3.1: 9.8 | CVSS: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H | CWE-22.
• CVE-2023-6027: CVSS v3.1: 6.1 | CVSS: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N | CWE-79.

Solution

There is no reported solution at this time.

Detail

• CVE-2023-6026: a Path traversal vulnerability has been reported in elijaa/phpmemcachedadmin affecting version 1.3.0. This vulnerability allows an attacker to delete files stored on the server due to lack of proper verification of user-supplied input.
• CVE-2023-6027: a critical flaw has been identified in elijaa/phpmemcachedadmin affecting version 1.3.0, specifically related to a stored XSS vulnerability. This vulnerability allows malicious actors to insert a carefully crafted JavaScript payload. The issue arises from improper encoding of user-controlled entries in the “/pmcadmin/configure.php” parameter.