CVE-2023-2765
Weaver OA downfile.php absolute path traversal
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
1Exploited in Wild
-Decision
Descriptions
A vulnerability has been found in Weaver OA up to 9.5 and classified as problematic. This vulnerability affects unknown code of the file /E-mobile/App/System/File/downfile.php. The manipulation of the argument url leads to absolute path traversal. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. VDB-229270 is the identifier assigned to this vulnerability. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
In Weaver OA bis 9.5 wurde eine problematische Schwachstelle gefunden. Es geht um eine nicht näher bekannte Funktion der Datei /E-mobile/App/System/File/downfile.php. Durch Manipulieren des Arguments url mit unbekannten Daten kann eine absolute path traversal-Schwachstelle ausgenutzt werden. Der Angriff kann über das Netzwerk erfolgen. Der Exploit steht zur öffentlichen Verfügung.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2023-05-17 CVE Reserved
- 2023-05-17 CVE Published
- 2024-08-02 CVE Updated
- 2024-08-02 First Exploit
- 2024-10-27 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-36: Absolute Path Traversal
CAPEC
References (1)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|---|---|
| https://github.com/eckert-lcc/cve/blob/main/Weaver%20oa.md | 2024-08-02 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Weaver Search vendor "Weaver" | Weaver Office Automation Search vendor "Weaver" for product "Weaver Office Automation" | 9.5 Search vendor "Weaver" for product "Weaver Office Automation" and version "9.5" | - |
Affected
| ||||||