CVE-2023-1149 - Vulnerability Details - OpenCVE

Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Changed

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact High

User Interaction Required

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00549.

Exploitation poc

Automatable no

Technical Impact partial

Vendors	Products
Btcpayserver	Btcpay Server

Configuration 1 [-]

cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92
https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f

History

Mon, 10 Mar 2025 14:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

MITRE

Status: PUBLISHED

Assigner: @huntrdev

Published: 2023-03-02T00:00:00.000Z

Updated: 2025-03-07T21:41:24.232Z

Reserved: 2023-03-02T00:00:00.000Z

Link: CVE-2023-1149

Vulnrichment

Updated: 2024-08-02T05:40:57.973Z

NVD

Status : Modified

Published: 2023-03-02T05:15:11.647

Modified: 2026-06-17T05:27:13.623

Link: CVE-2023-1149

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-1149", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2025-03-07T21:41:24.232Z", "dateReserved": "2023-03-02T00:00:00.000Z", "datePublished": "2023-03-02T00:00:00.000Z"}, "containers": {"cna": {"title": "Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-03-02T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0."}], "affected": [{"vendor": "btcpayserver", "product": "btcpayserver/btcpayserver", "versions": [{"version": "unspecified", "lessThan": "1.8.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"}, {"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-76 Improper Neutralization of Equivalent Special Elements", "cweId": "CWE-76"}]}], "source": {"advisory": "2e734209-d7b0-4f57-a8be-c65c82208f2f", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:40:57.973Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f", "tags": ["x_transferred"]}, {"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92", "tags": ["x_transferred"]}]}, {"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-07T21:41:08.793865Z", "id": "CVE-2023-1149", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T21:41:24.232Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2023-1149", "assignerOrgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "assignerShortName": "@huntrdev", "dateUpdated": "2025-03-07T21:41:24.232Z", "dateReserved": "2023-03-02T00:00:00.000Z", "datePublished": "2023-03-02T00:00:00.000Z"}, "containers": {"cna": {"title": "Improper Neutralization of Equivalent Special Elements in btcpayserver/btcpayserver", "providerMetadata": {"orgId": "c09c270a-b464-47c1-9133-acb35b22c19a", "shortName": "@huntrdev", "dateUpdated": "2023-03-02T00:00:00.000Z"}, "descriptions": [{"lang": "en", "value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0."}], "affected": [{"vendor": "btcpayserver", "product": "btcpayserver/btcpayserver", "versions": [{"version": "unspecified", "lessThan": "1.8.0", "status": "affected", "versionType": "custom"}]}], "references": [{"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"}, {"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-76 Improper Neutralization of Equivalent Special Elements", "cweId": "CWE-76"}]}], "source": {"advisory": "2e734209-d7b0-4f57-a8be-c65c82208f2f", "discovery": "EXTERNAL"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T05:40:57.973Z"}, "title": "CVE Program Container", "references": [{"url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f", "tags": ["x_transferred"]}, {"url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92", "tags": ["x_transferred"]}]}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2023-1149", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-07T21:41:08.793865Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-07T21:41:19.375Z"}}]}}

{"affected": [{"affectedData": [{"product": "btcpayserver/btcpayserver", "vendor": "btcpayserver", "versions": [{"lessThan": "1.8.0", "status": "affected", "version": "unspecified", "versionType": "custom"}]}], "source": "security@huntr.dev"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:btcpayserver:btcpay_server:*:*:*:*:*:*:*:*", "matchCriteriaId": "EF93CD27-A3BD-4F17-BE43-6E1F3E795E04", "versionEndExcluding": "1.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Equivalent Special Elements in GitHub repository btcpayserver/btcpayserver prior to 1.8.0."}], "id": "CVE-2023-1149", "lastModified": "2026-06-17T05:27:13.623", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 5.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:H", "version": "3.0"}, "exploitabilityScore": 0.9, "impactScore": 4.7, "source": "security@huntr.dev", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2023-1149", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2025-03-07T21:41:08.793865Z", "version": "2.0.3"}}]}, "published": "2023-03-02T05:15:11.647", "references": [{"source": "security@huntr.dev", "tags": ["Patch"], "url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"}, {"source": "security@huntr.dev", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/btcpayserver/btcpayserver/commit/ddb125f45892b4dafdbd5c072af1ce623758bb92"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"], "url": "https://huntr.dev/bounties/2e734209-d7b0-4f57-a8be-c65c82208f2f"}], "sourceIdentifier": "security@huntr.dev", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-76"}], "source": "security@huntr.dev", "type": "Secondary"}]}