{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2022-50993/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2022-50993"}],"_cs_exploited":false,"_cs_products":["E-office (\u003c 10.0_20221201)"],"_cs_severities":["critical"],"_cs_tags":["cve-2022-50993","file-upload","webshell","rce","e-office"],"_cs_type":"advisory","_cs_vendors":["Weaver"],"content_html":"\u003cp\u003eWeaver E-office, a web-based office automation system, is vulnerable to an unauthenticated arbitrary file upload vulnerability (CVE-2022-50993) affecting versions prior to 10.0_20221201. The vulnerability exists within the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint, allowing remote attackers to upload arbitrary files without authentication. This is achieved by sending multipart POST requests with manipulated filenames and content types. The Shadowserver Foundation observed initial exploitation evidence on October 10, 2022. Successful exploitation enables attackers to upload malicious PHP webshells to the Document directory and execute them via HTTP GET requests, leading to remote code execution on the affected server as the web server user. This can compromise the confidentiality, integrity, and availability of the E-office system and the underlying server.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe POST request includes a multipart form with a file upload field.\u003c/li\u003e\n\u003cli\u003eThe attacker sets an arbitrary filename for the uploaded file, typically with a \u003ccode\u003e.php\u003c/code\u003e extension.\u003c/li\u003e\n\u003cli\u003eThe attacker disguises the content type of the uploaded file to bypass basic server-side checks.\u003c/li\u003e\n\u003cli\u003eThe server saves the uploaded file (a PHP webshell) to the Document directory.\u003c/li\u003e\n\u003cli\u003eThe attacker sends an HTTP GET request to the uploaded PHP webshell file.\u003c/li\u003e\n\u003cli\u003eThe web server executes the PHP code within the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves remote code execution as the web server user, enabling further malicious activities.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2022-50993 allows an unauthenticated attacker to execute arbitrary code on the affected Weaver E-office server. This can lead to complete system compromise, data theft, modification of sensitive data, and disruption of services. The vulnerability has a CVSS v3.1 base score of 9.8, indicating its critical severity. While the number of victims and specific sectors targeted are not detailed, organizations using vulnerable versions of Weaver E-office are at high risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Weaver E-office to version 10.0_20221201 or later to patch CVE-2022-50993.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect Weaver E-office Webshell Upload\u0026rdquo; to detect malicious PHP file uploads to the \u003ccode\u003eOfficeServer.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to the Document directory with \u003ccode\u003e.php\u003c/code\u003e extensions, indicative of webshell execution.\u003c/li\u003e\n\u003cli\u003eImplement web application firewall (WAF) rules to block suspicious POST requests to \u003ccode\u003eOfficeServer.php\u003c/code\u003e with arbitrary file upload attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-weaver-eoffice-upload/","summary":"Weaver E-office versions prior to 10.0_20221201 are vulnerable to unauthenticated arbitrary file upload in the OfficeServer.php endpoint, allowing attackers to upload PHP webshells and achieve remote code execution.","title":"Weaver E-office Unauthenticated Arbitrary File Upload Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-weaver-eoffice-upload/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2022-50993","version":"https://jsonfeed.org/version/1.1"}