CVE-2023-29627 in Online Pizza Orderinginfo

Summary

by MITRE • 04/14/2023

Online Pizza Ordering v1.0 was discovered to contain an arbitrary file upload vulnerability which allows attackers to execute arbitrary code via a crafted file uploaded to the server.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 12/11/2025

The vulnerability identified as CVE-2023-29627 resides within Online Pizza Ordering version 1.0, representing a critical security flaw that enables remote code execution through unauthorized file uploads. This issue stems from inadequate input validation and sanitization mechanisms within the application's file handling processes, creating an exploitable pathway for malicious actors to compromise the system. The vulnerability manifests when the application fails to properly verify file types, extensions, or content, allowing attackers to bypass security controls and upload potentially malicious files to the server infrastructure.

This arbitrary file upload vulnerability directly maps to CWE-434, which categorizes the weakness as "Unrestricted Upload of File with Dangerous Type." The flaw operates by permitting users to upload files without sufficient validation checks, particularly failing to restrict file extensions or content types. Attackers can leverage this vulnerability by crafting specially designed files that appear legitimate but contain malicious code, such as php shells or other executable payloads. The vulnerability exists in the application's file upload functionality, where the system accepts files without proper verification of their nature, content, or intended use within the application's operational context.

The operational impact of this vulnerability extends beyond simple data compromise, as it provides attackers with direct execution capabilities on the target server. Successful exploitation allows adversaries to execute arbitrary code with the privileges of the web application, potentially leading to complete system compromise, data exfiltration, and establishment of persistent backdoors. The threat landscape for this vulnerability aligns with ATT&CK technique T1505.003, which covers "Server Software Component: Web Shell," indicating that attackers could deploy web shells to maintain access and conduct further reconnaissance. Organizations running this vulnerable application face significant risk of unauthorized access, service disruption, and potential lateral movement within their network infrastructure.

Mitigation strategies for CVE-2023-29627 should prioritize immediate implementation of robust file validation controls, including strict file extension filtering, content type verification, and mandatory file format checks. Organizations must enforce proper input sanitization measures, implement whitelisting of acceptable file types, and ensure that uploaded files are stored in non-executable directories. The application should employ multiple layers of defense including MIME type checking, file signature validation, and virus scanning of uploaded content. Additionally, implementing proper access controls and regular security assessments can help detect and prevent exploitation attempts. Security patches or updates should be applied immediately to address the underlying vulnerability, as the affected version 1.0 represents an outdated and unsupported release that lacks proper security hardening measures.

Reservation

04/07/2023

Disclosure

04/14/2023

Moderation

accepted

CPE

ready

EPSS

0.00985

KEV

no

Activities

very low

Sources

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!