cbcvebase.
CVE-2023-33440
published 2023-05-26

CVE-2023-33440: Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

PriorityP357high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EXPLOIT
EPSS
14.51%
96.2th percentile
Sourcecodester Faculty Evaluation System v1.0 is vulnerable to arbitrary code execution via /eval/ajax.php?action=save_user.

Affected

1 ranges
VendorProductVersion rangeFixed in
faculty_evaluation_system_projectfaculty_evaluation_system

Detection & IOCsextracted from sources · hover to see the quote

url/eval/ajax.php?action=save_user
url/ajax.php?action=save_user
path/assets/uploads/
filename{{randstr}}.php
  • Monitor for unauthenticated POST requests to /ajax.php?action=save_user or /eval/ajax.php?action=save_user containing multipart/form-data with a file upload field named 'img' and a .php filename — this is the exploit delivery mechanism for CVE-2023-33440.
  • Alert on PHP files appearing under /assets/uploads/ on Faculty Evaluation System instances — this is where uploaded webshells are stored post-exploitation.
  • The exploit is unauthenticated (no session/auth token required); detect multipart file uploads with Content-Type: application/octet-stream and a .php extension in the 'img' form field without a preceding authentication request.
  • The exploit checks for a response body of exactly '1' (length 1) from the save_user endpoint to confirm successful upload — a WAF or IDS rule can match this response pattern alongside the upload request.
  • The multipart boundary '---------------------------1037163726497' is hardcoded in the Nuclei PoC template and can serve as a static signature for this specific exploit tool.
  • ·The vulnerability is unauthenticated (CWE-434 unrestricted file upload) — no prior login or privilege is required to exploit it, meaning perimeter authentication controls alone are insufficient.
  • ·The Nuclei template targets /ajax.php?action=save_user (without the /eval/ prefix), while the NVD description uses /eval/ajax.php?action=save_user — detection rules should cover both path variants.
  • ·EPSS score is 0.90444 (99.6th percentile), indicating very high likelihood of active exploitation in the wild — prioritize detection and patching accordingly.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.