Vulnerability Description
Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC).
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://bbs.chaitin.cn/topic/37
- https://cn-sec.com/archives/1453025.html
- https://service.e-office.cn/knowledge/detail/5
- https://www.vulncheck.com/advisories/weaver-e-office-10-0-20221201-unauthenticat
FAQ
What is CVE-2022-50993?
CVE-2022-50993 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload maliciou...
How severe is CVE-2022-50993?
CVE-2022-50993 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2022-50993?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.