CVE-2023-2523
published 2023-05-04CVE-2023-2523: A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEVInitial access
Exploited in the wild
EPSS
32.90%
98.1th percentile
A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| e-office | e-office | — | — |
| weaver | e-office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
filename{{file}}.php.
commandPOST /inc/jquery/uploadify/uploadify.php HTTP/1.1
otherapp="泛微-EOffice"
otherapp="泛微-eoffice"
- →Exploit targets unrestricted file upload via the 'upload_quwan' argument at App/Ajax/ajax.php?action=mobile_upload_save, allowing remote code execution on Weaver E-Office 9.5. ↗
- →Exploit targets unrestricted file upload via the 'Filedata' argument at /inc/jquery/uploadify/uploadify.php; attacker uploads a PHP webshell with a trailing dot in the filename (e.g., shell.php.) to bypass extension filters.
- →Detection: Monitor for multipart/form-data POST requests to /inc/jquery/uploadify/uploadify.php with a filename parameter containing a .php extension (including trailing-dot bypass variants such as .php.).
- →After upload, attacker issues a second POST to the uploaded PHP file path under /attachment/ to achieve remote code execution; monitor for POST requests to /attachment/<numeric_dir>/*.php.
- →FOFA fingerprint queries 'app="泛微-EOffice"' and 'app="泛微-eoffice"' can be used to identify exposed Weaver E-Office instances on the internet.
- →The exploit is publicly disclosed and PoC code is available at https://github.com/bingtangbanli/cve-2023-2523-and-cve-2023-2648; treat any access to this repo as a threat-intel signal.
- ·The Nuclei template provided covers CVE-2023-2648 (uploadify.php vector), not CVE-2023-2523 (ajax.php mobile_upload_save vector). Ensure separate detection coverage is built for the ajax.php endpoint.
- ·The filename bypass technique uses a trailing dot (e.g., 'shell.php.') to evade extension-based upload filters; detection rules must account for this variant and not rely solely on exact .php extension matching.
- ·The vulnerability is exploitable with no authentication (PR:N, UI:N) and has a CVSS score of 9.8; network-level blocking of the vulnerable endpoints is strongly advised until patching is possible.
- ·EPSS score of 0.92555 (99.74th percentile) indicates very high probability of exploitation in the wild; prioritize detection and patching accordingly.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vulncheck9.8CRITICAL
vendor_redhat5.5MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-w8g9-xrv8-vfw2: A vulnerability was found in Weaver E-Office 9
ghsa_unreviewed·2023-05-04
CVE-2023-2523 [HIGH] CWE-434 GHSA-w8g9-xrv8-vfw2: A vulnerability was found in Weaver E-Office 9
A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
e-office e-office Unrestricted Upload of File with Dangerous Type
vulncheck·2023·CVSS 9.8
CVE-2023-2523 [CRITICAL] e-office e-office Unrestricted Upload of File with Dangerous Type
e-office e-office Unrestricted Upload of File with Dangerous Type
A vulnerability was found in Weaver E-Office 9.5. It has been rated as critical. Affected by this issue is some unknown functionality of the file App/Ajax/ajax.php?action=mobile_upload_save. The manipulation of the argument upload_quwan leads to unrestricted upload. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-228014 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected: e-office e-office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: htt
No detection rules found.
Nuclei
Weaver E-Office 9.5 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-2648 [CRITICAL] Weaver E-Office 9.5 - Remote Code Execution
Weaver E-Office 9.5 - Remote Code Execution
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Template:
id: CVE-2023-2648
info:
name: Weaver E-Office 9.5 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part
No writeups or analysis indexed.
2023-05-04
Published
Exploited in the wild