CVE-2023-37152 in Online Art Gallery Project
Summary
by MITRE • 07/10/2023
Projectworlds Online Art Gallery Project 1.0 allows unauthenticated users to perform arbitrary file uploads via the adminHome.php page.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 01/16/2026
The vulnerability identified as CVE-2023-37152 affects Projectworlds Online Art Gallery Project version 1.0, presenting a critical security flaw that enables unauthenticated attackers to execute arbitrary file uploads on the target system. This vulnerability exists within the adminHome.php page, which serves as an administrative interface for the art gallery platform. The flaw stems from insufficient input validation and access control mechanisms that fail to properly authenticate users or restrict file upload capabilities to legitimate administrators only. The absence of proper authorization checks allows any remote attacker to bypass authentication requirements and directly upload files to the server without providing valid credentials. This represents a fundamental breakdown in the application's security architecture and demonstrates poor implementation of security controls that should be present in any web application handling administrative functions.
The technical nature of this vulnerability aligns with CWE-434, which describes "Unrestricted Upload of File with Dangerous Type," and specifically manifests as a lack of proper file type validation combined with insufficient authentication checks. The vulnerability operates by allowing attackers to submit files through the adminHome.php endpoint without requiring authentication, potentially enabling the upload of malicious scripts, executables, or other harmful file types that could compromise the entire system. Attackers could exploit this weakness to upload web shells, malware, or other malicious content that would execute with the privileges of the web server process. The vulnerability also correlates with ATT&CK technique T1190, which covers "Exploit Public-Facing Application," as the flaw exists in a publicly accessible administrative interface that can be targeted from external networks. This creates a direct pathway for attackers to escalate privileges and gain persistent access to the affected system.
The operational impact of this vulnerability is severe and multifaceted, potentially allowing attackers to achieve complete system compromise through a single exploit. An attacker could upload malicious files that provide remote code execution capabilities, enabling them to establish backdoors, exfiltrate data, or use the compromised system as a launch point for further attacks within the network. The vulnerability also poses risks to data integrity and availability, as attackers could upload files that overwrite legitimate system components or introduce malicious code that disrupts normal operations. Organizations relying on this art gallery platform could face significant financial losses, regulatory penalties, and reputational damage if the vulnerability is exploited. The lack of authentication requirements means that the attack surface is maximized, as any user with access to the web application can attempt exploitation without needing to first compromise legitimate credentials.
Mitigation strategies for CVE-2023-37152 should include immediate implementation of proper authentication controls on all administrative endpoints, including the adminHome.php page. The system must enforce strict access control mechanisms that verify user credentials before granting administrative privileges or file upload capabilities. File upload validation should be strengthened through multiple layers of protection including MIME type checking, file extension filtering, and content analysis to prevent execution of malicious files. Organizations should implement proper input sanitization and validation to ensure that all file uploads are properly inspected before being stored or processed. Additionally, the application should be configured to use secure file storage practices, including storing uploaded files outside the web root directory and implementing proper file permissions. Regular security audits and penetration testing should be conducted to identify similar vulnerabilities in other parts of the application. The system should also implement logging and monitoring capabilities to detect suspicious file upload activities and potential exploitation attempts. Network segmentation and firewall rules should be configured to limit access to administrative interfaces to trusted IP addresses only, reducing the attack surface and providing additional defense-in-depth measures.