KEVIntel

Vulnerability detail

Enriched intelligence for a single CVE

PRO Back to KEVs

6.3

CVSS
Medium

CVE-2023-3836

PUBLISHED

Dahua Smart Park Management unrestricted upload

Exploited in the wild PoC available Remote Low complexity No user interaction

Vendor: Dahua
Product: Smart Park Management
Published: Jul 22, 2023
EPSS: —

Automate this intelligence with the Pro API

Everything on this page — CVSS, EPSS, exploit status, PoCs, scanner integrations, mentions, tags, and immediate honeypot data — is available programmatically for VM, SOC, and CTI workflows.

Learn about Pro

Description

A vulnerability classified as critical was found in Dahua Smart Park Management up to 20230713. This vulnerability affects unknown code of the file /emap/devicePoint_addImgIco?hasSubsystem=true. The manipulation of the argument upload leads to unrestricted upload. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-235162 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. In Dahua Smart Park Management bis 20230713 wurde eine Schwachstelle entdeckt. Sie wurde als kritisch eingestuft. Betroffen ist eine unbekannte Verarbeitung der Datei /emap/devicePoint_addImgIco?hasSubsystem=true. Durch Manipulation des Arguments upload mit unbekannten Daten kann eine unrestricted upload-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk passieren. Der Exploit steht zur öffentlichen Verfügung.

nuclei_scanner

Weaknesses (CWE)

CWE-434

Unrestricted Upload of File with Dangerous Type

CVSS scores

CVSS v3.1 6.3 Medium

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v3.0 6.3 Medium

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

CVSS v2.0 6.5 Medium

AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitation status

Exploited in the wild

Recorded 2026-06-03 00:00:00 UTC · The Shadowserver (via CIRCL)

Proof of concept available

Recorded 2023-08-30 12:11:42 UTC · GitHub

References

Known exploited vulnerability sources

Catalogues that list this CVE as a known exploited vulnerability.

Source	Added
The Shadowserver (via CIRCL) First	2025-07-07 00:00 UTC

Scanner integrations

Scanner	Reference	Detected
Nuclei	https://github.com/projectdiscovery/nuclei-templates/blob/main/http/cves/2023/CVE-2023-3836.yaml	Apr 25, 2025

Potential proof of concepts

These PoCs are unverified and could contain malware. Use at your own risk.

zh-byte/CVE-2023-3836

github · Created 2023-08-30 12:11:42 UTC · 0 stars

大华智慧园区综合管理平台publishing文件上传

Timeline

CVE ID Reserved

2023-07-21 20:50 UTC
CVE Published to Public

2023-07-22 18:00 UTC
Proof of Concept Exploit Available

2023-08-30 12:11 UTC
Detected by Nuclei

2025-04-25 00:00 UTC
Added to KEVIntel

2025-07-07 00:00 UTC