CVE-2022-50993

Name of the Vulnerable Software and Affected Versions Weaver (Fanwei) E-office versions prior to 10.0 20221201

Description An unauthenticated arbitrary file upload issue exists in the 'OfficeServer.php' endpoint. Remote attackers can upload malicious files, such as PHP webshells, to the Document directory by sending multipart POST requests with arbitrary filenames and disguised content types. These files can then be executed via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC).

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.