CVE-2023-30330
published 2023-05-12CVE-2023-30330: SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function…
PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.88%
92.3th percentile
SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| softexpert | excellence_suite | >= 2.0 < 2.1.3 | 2.1.3 |
Detection & IOCsextracted from sources · hover to see the quote
commandaction=4&managerName=lol&managerPath=<base64_encoded_path>&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false↗
- →Monitor POST requests to the vulnerable endpoint /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php. LFI exploitation uses the 'managerPath' POST parameter carrying a base64-encoded file path. ↗
- →The 'managerPath' parameter value is base64-encoded (using 'base64 -w 0'). Detect base64-encoded path traversal strings (e.g., encoding of '../' sequences) in POST body parameters to this endpoint. ↗
- →The fixed className value 'ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg==' (base64 for 'doc_document_advanced_group_filter') appears consistently in exploit POST bodies and can serve as a static detection signature. ↗
- →The exploit sets 'action=4' in the POST body to the LFI endpoint. Requests with action=4 combined with a non-empty managerPath to this PHP file are strong indicators of exploitation. ↗
- ·The exploit requires valid credentials to first obtain a session token before triggering the LFI. This means unauthenticated detection at the LFI endpoint alone may miss attacks; authentication logs should also be monitored. ↗
- ·The vulnerability affects SoftExpert Excellence Suite 2.x versions before 2.1.3. The exploit script is labeled v2.1.3 but the NVD advisory clarifies the affected range is versions before 2.1.3. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2023-05-12
Published