CVE-2023-2766
Published: 17 May 2023
Summary
CVE-2023-2766 is a medium-severity Files or Directories Accessible to External Parties (CWE-552) vulnerability in Weaver E-Office. Its CVSS base score is 5.3 (Medium).
Operationally, ranked in the top 0.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
CVE-2023-2766 is a files-or-directories-accessible vulnerability in Weaver OA version 9.5. The issue resides in the handling of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini, where improper access controls allow external parties to reach sensitive resources. It is tracked under CWE-552 and carries a CVSS 3.1 base score of 5.3 reflecting network attack vector, low complexity, and no required authentication or user interaction.
An unauthenticated remote attacker can directly request the affected configuration file to obtain limited confidential information. Public proof-of-concept code has been released, enabling straightforward exploitation without vendor interaction.
No official patches or mitigation guidance have been published; the vendor was notified prior to disclosure but did not respond. The associated EPSS score currently stands at 0.91 with a recorded peak of 0.92, indicating sustained public interest in the flaw since its May 2023 publication.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-34224
Vulnerability details
A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely. The exploit has been…
more
disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-229271. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Controls on authorized publication limit files and directories with nonpublic data from becoming accessible to external parties.
Controlling and documenting P2P file sharing prevents files and directories from being made accessible to external parties for unauthorized distribution.
Identifying and documenting file and directory locations allows restriction of access to external parties.
Protecting backup files ensures they are not accessible to external parties or unauthorized spheres.
Sanitizing equipment before off-site maintenance reduces the risk of files or directories containing sensitive data becoming accessible to external parties.
Policy restricts media access to authorized parties only, preventing exposure of resources to external or unauthorized actors.
Media access restrictions prevent files or directories from being accessible to external parties.
Employing and evaluating controls at documented alternate sites makes files and directories less likely to be accessible to external parties through physical or environmental weaknesses.