cbcvebase.
CVE-2023-36348
published 2023-06-23

CVE-2023-36348: POS Codekop v2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the filename parameter.

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
6.37%
92.8th percentile
POS Codekop v2.0 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the filename parameter.

Affected

1 ranges
VendorProductVersion rangeFixed in
codekopcodekop

Detection & IOCsextracted from sources · hover to see the quote

url/fungsi/edit/edit.php?gambar=user
path/assets/img/user/[random_number]asuka-rce.php
filenameasuka-rce.php
  • Monitor for multipart/form-data POST requests to /fungsi/edit/edit.php?gambar=user where the uploaded filename has a .php extension rather than a legitimate image extension.
  • Detect Content-Type spoofing: uploaded file declared as image/jpeg but filename carries a .php extension in the Content-Disposition header.
  • Alert on HTTP GET requests to /assets/img/user/ paths that resolve to .php files, indicating a previously uploaded web shell is being accessed.
  • ·The exploit requires prior authentication (valid session cookie) before the malicious upload can be performed; unauthenticated access to the upload endpoint alone is insufficient.
  • ·The web shell is dropped under /assets/img/user/ with a random numeric prefix, so detection rules must use a wildcard/regex pattern rather than a fixed filename.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.