cbcvebase.
CVE-2023-30330
published 2023-05-12

CVE-2023-30330: SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
5.88%
92.3th percentile
SoftExpert (SE) Excellence Suite 2.x versions before 2.1.3 is vulnerable to Local File Inclusion in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php.

Affected

1 ranges
VendorProductVersion rangeFixed in
softexpertexcellence_suite>= 2.0 < 2.1.32.1.3

Detection & IOCsextracted from sources · hover to see the quote

path/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php
path/softexpert/selogin
path/softexpert/selogout
cookiese-authentication-token
commandaction=4&managerName=lol&managerPath=<base64_encoded_path>&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false
  • Monitor POST requests to the vulnerable endpoint /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php. LFI exploitation uses the 'managerPath' POST parameter carrying a base64-encoded file path.
  • The 'managerPath' parameter value is base64-encoded (using 'base64 -w 0'). Detect base64-encoded path traversal strings (e.g., encoding of '../' sequences) in POST body parameters to this endpoint.
  • The fixed className value 'ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg==' (base64 for 'doc_document_advanced_group_filter') appears consistently in exploit POST bodies and can serve as a static detection signature.
  • The exploit sets 'action=4' in the POST body to the LFI endpoint. Requests with action=4 combined with a non-empty managerPath to this PHP file are strong indicators of exploitation.
  • ·The exploit requires valid credentials to first obtain a session token before triggering the LFI. This means unauthenticated detection at the LFI endpoint alone may miss attacks; authentication logs should also be monitored.
  • ·The vulnerability affects SoftExpert Excellence Suite 2.x versions before 2.1.3. The exploit script is labeled v2.1.3 but the NVD advisory clarifies the affected range is versions before 2.1.3.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.