CVE-2023-2647
Published: 11 May 2023
Summary
CVE-2023-2647 is a medium-severity Command Injection (CWE-77) vulnerability in Weaver E-Office. Its CVSS base score is 6.3 (Medium).
Operationally, ranked in the top 5.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2647 is a command-injection vulnerability (CWE-77) affecting the file-upload handler in Weaver E-Office version 9.5. The flaw resides in an unspecified function inside /webroot/inc/utility_all.php; crafted input supplied to this component is executed as operating-system commands. The issue carries a CVSS 3.1 base score of 6.3 with network attack vector, low complexity, and low-privileged authentication requirements.
An authenticated remote attacker can send a malicious request to the affected endpoint and obtain limited read, write, and execution capabilities on the underlying host. Public proof-of-concept code demonstrating the injection has been published, confirming that exploitation does not require user interaction or special network positioning.
Vendor contact prior to disclosure received no response, and the referenced advisories contain no mitigation guidance or patch information. The associated EPSS score has remained flat at 0.1369 since publication, indicating no measurable increase in observed exploitation activity.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34113
Vulnerability details
A vulnerability was found in Weaver E-Office 9.5 and classified as critical. Affected by this issue is some unknown functionality of the file /webroot/inc/utility_all.php of the component File Upload Handler. The manipulation leads to command injection. The attack may be…
more
launched remotely. The exploit has been disclosed to the public and may be used. The identifier of this vulnerability is VDB-228776. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.