PatchSiren cyber security CVE debrief
CVE-2023-1728 Fernus Informatics CVE debrief
CVE-2023-1728 is a critical vulnerability in Fernus Learning Management Systems (LMS) involving unrestricted upload of a file with a dangerous type. The issue can lead to OS command injection and Server Side Include (SSI) injection, and the CVSS v3.1 score is 9.8 (critical). NVD lists affected Fernus LMS versions as those before 23.04.03. Because the flaw is network exploitable, requires no privileges, and needs no user interaction, exposed LMS deployments should be treated as urgent remediation targets.
- Vendor
- Fernus Informatics
- Product
- LMS
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2023-04-04
- Original CVE updated
- 2024-11-21
- Advisory published
- 2023-04-04
- Advisory updated
- 2024-11-21
Who should care
Fernus LMS administrators, application owners, security operations teams, and incident responders should prioritize this issue if any LMS instance is reachable over the network or accepts file uploads.
Technical summary
The NVD record describes an unrestricted file upload weakness that permits dangerous file types to be uploaded into Fernus LMS. The reported impact includes OS command injection and SSI injection. The supplied NVD vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H, indicating remote exploitation with no authentication or user interaction and severe confidentiality, integrity, and availability impact. Vulnerable versions are those before 23.04.03.
Defensive priority
Critical. Prioritize immediate patching or isolation of affected Fernus LMS instances, especially if the platform is internet-facing or accepts user uploads.
Recommended defensive actions
- Upgrade Fernus Learning Management Systems to version 23.04.03 or later as soon as possible.
- Identify every deployed LMS instance, including test and forgotten systems, and verify whether any are running a version before 23.04.03.
- If immediate upgrading is not possible, restrict access to upload features and place the application behind strong network controls until remediation is complete.
- Review logs and application storage for unexpected or high-risk uploads, followed by any signs of command execution or SSI-related behavior.
- After remediation, validate that upload handling enforces safe file-type controls and that the application is monitored for abuse of upload workflows.
Evidence notes
All claims are drawn from the supplied CVE record and NVD metadata. The vulnerability description explicitly states unrestricted upload of a dangerous file type with OS command injection and SSI injection impact. The affected-version boundary is provided in the NVD CPE criteria as endExcluding 23.04.03. The CVSS vector and score are taken from the supplied source data. No KEV entry was supplied.
Official resources
-
CVE-2023-1728 CVE record
CVE.org
-
CVE-2023-1728 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory, US Government Resource
Published 2023-04-04. The supplied record was last modified on 2024-11-21. No Known Exploited Vulnerabilities (KEV) entry was supplied for this CVE.