CVE-2023-2648
published 2023-05-11CVE-2023-2648: A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file…
PriorityP186critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
28.48%
97.9th percentile
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| weaver | e-office | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlPOST /inc/jquery/uploadify/uploadify.php HTTP/1.1
filename{{file}}.php.
- →The exploit uploads a PHP webshell via a multipart POST to /inc/jquery/uploadify/uploadify.php using the 'Filedata' parameter. The filename uses a trailing dot bypass (e.g., 'file.php.') to circumvent extension filtering. ↗
- →After upload, the dropped PHP file is accessed via a second POST request to /attachment/{extracted_id}/{file}.php to confirm remote code execution. Monitor for HTTP 200 responses to dynamically named PHP files under /attachment/.
- →The exploit uses a numeric directory name (extracted via regex '([0-9]+)' from the upload response body) as the path component under /attachment/ where the webshell is stored.
- →FOFA fingerprinting queries for the target application are 'app="泛微-EOffice"' and 'app="泛微-eoffice"', useful for identifying exposed instances.
- →Successful exploitation is confirmed by the presence of the MD5 hash of the string 'CVE-2023-2648' in the HTTP response body of the second request, alongside a 200 status code.
- ·The upload endpoint /inc/jquery/uploadify/uploadify.php is unauthenticated and requires no prior login, making this a zero-interaction pre-auth RCE (CVSS 9.8, PR:N, UI:N). ↗
- ·The Nuclei template is marked 'intrusive' and 'verified', meaning it actively uploads a file to the target. Use only in authorized testing environments.
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck6.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-p87m-68pc-hg94: A vulnerability was found in Weaver E-Office 9
ghsa_unreviewed·2023-05-11
CVE-2023-2648 [MEDIUM] CWE-434 GHSA-p87m-68pc-hg94: A vulnerability was found in Weaver E-Office 9
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
weaver e-office Unrestricted Upload of File with Dangerous Type
vulncheck·2023·CVSS 6.3
CVE-2023-2648 [MEDIUM] weaver e-office Unrestricted Upload of File with Dangerous Type
weaver e-office Unrestricted Upload of File with Dangerous Type
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Affected: weaver e-office
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://dashboard.shadowse
No detection rules found.
Nuclei
Weaver E-Office 9.5 - Remote Code Execution
nuclei·CVSS 9.8
CVE-2023-2648 [CRITICAL] Weaver E-Office 9.5 - Remote Code Execution
Weaver E-Office 9.5 - Remote Code Execution
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Template:
id: CVE-2023-2648
info:
name: Weaver E-Office 9.5 - Remote Code Execution
author: ritikchaddha
severity: critical
description: |
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part
2023-05-11
Published
Exploited in the wild