CVSS: 7.5EPSS: 10%CPEs: 1EXPL: 1CVE-2023-2766 – Weaver OA jx2_config.ini file access
https://notcve.org/view.php?id=CVE-2023-2766
A vulnerability was found in Weaver OA 9.5 and classified as problematic. This issue affects some unknown processing of the file /building/backmgr/urlpage/mobileurl/configfile/jx2_config.ini. The manipulation leads to files or directories accessible. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/8079048q/cve/blob/main/weaveroa.md https://vuldb.com/?ctiid.229271 https://vuldb.com/?id.229271 • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2765 – Weaver OA downfile.php absolute path traversal
https://notcve.org/view.php?id=CVE-2023-2765
A vulnerability has been found in Weaver OA up to 9.5 and classified as problematic. This vulnerability affects unknown code of the file /E-mobile/App/System/File/downfile.php. The manipulation of the argument url leads to absolute path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. • https://github.com/eckert-lcc/cve/blob/main/Weaver%20oa.md https://vuldb.com/?ctiid.229270 https://vuldb.com/?id.229270 • CWE-36: Absolute Path Traversal •
CVSS: 9.8EPSS: 15%CPEs: 1EXPL: 1CVE-2023-2648 – Weaver E-Office uploadify.php unrestricted upload
https://notcve.org/view.php?id=CVE-2023-2648
A vulnerability was found in Weaver E-Office 9.5. It has been classified as critical. This affects an unknown part of the file /inc/jquery/uploadify/uploadify.php. The manipulation of the argument Filedata leads to unrestricted upload. It is possible to initiate the attack remotely. • https://github.com/sunyixuan1228/cve/blob/main/weaver.md https://vuldb.com/?ctiid.228777 https://vuldb.com/?id.228777 • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 1CVE-2023-2647 – Weaver E-Office File Upload utility_all.php command injection
https://notcve.org/view.php?id=CVE-2023-2647
A vulnerability was found in Weaver E-Office 9.5 and classified as critical. Affected by this issue is some unknown functionality of the file /webroot/inc/utility_all.php of the component File Upload Handler. The manipulation leads to command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/sunyixuan1228/cve/blob/main/weaver%20exec.md https://vuldb.com/?ctiid.228776 https://vuldb.com/?id.228776 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2019-16133
https://notcve.org/view.php?id=CVE-2019-16133
An issue was discovered in eteams OA v4.0.34. Because the session is not strictly checked, the account names and passwords of all employees in the company can be obtained by an ordinary account. Specifically, the attacker sends a jsessionid value for URIs under app/profile/summary/. Se descubrió un problema en eteams OA v4.0.34. Debido a que la sesión no se verifica estrictamente, los nombres de cuenta y las contraseñas de todos los empleados de la empresa pueden obtenerse mediante una cuenta ordinaria. • http://www.iwantacve.cn/index.php/archives/271 • CWE-613: Insufficient Session Expiration •