Home

Description

phpfm 1.7.9 contains an authentication bypass vulnerability that allows attackers to log in by exploiting loose type comparison in password hash validation. Attackers can craft specific password hashes beginning with 0e or 00e to bypass authentication and upload malicious PHP files to the server.

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Weak Authentication

Product status

1.7.9
affected

Credits

thoughtfault finder

References

www.exploit-db.com/exploits/51594 (ExploitDB-51594) exploit

www.dulldusk.com/phpfm/ (phpFileManager Product Webpage) product

www.vulncheck.com/...-bypass-via-type-juggling-vulnerability (VulnCheck Advisory: phpfm 1.7.9 Authentication Bypass via Type Juggling Vulnerability) third-party-advisory

cve.org (CVE-2023-53894)

nvd.nist.gov (CVE-2023-53894)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.