CVE-2022-50993
Unauthenticated Arbitrary File Upload in Weaver E-Office
Publication date: 2026-04-30
Last updated on: 2026-04-30
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| weaver | e-office | to 10.0_20221201 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2022-50993 is an unauthenticated arbitrary file upload vulnerability in Weaver (Fanwei) E-office versions prior to 10.0_20221201. It exists in the OfficeServer.php endpoint, allowing remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types.
Attackers can upload PHP webshells to the Document directory and then execute them via HTTP GET requests, which leads to remote code execution with the privileges of the web server user.
How can this vulnerability impact me? :
This vulnerability allows attackers to gain unauthorized access to the affected system by uploading and executing malicious files such as PHP webshells.
Exploitation can lead to remote code execution, enabling attackers to take control of the server, access sensitive data, modify or delete files, and potentially use the compromised server as a foothold for further attacks.
Because the attack requires no authentication or administrator privileges, it poses a severe security threat to organizations using vulnerable versions of Weaver E-office.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unusual multipart POST requests to the OfficeServer.php endpoint that include arbitrary filenames and disguised content types. Specifically, look for attempts to upload PHP files or webshells to the Document directory.
Commands to detect exploitation attempts might include inspecting web server logs for suspicious POST requests or scanning the Document directory for unexpected PHP files.
- Use tools like grep to search web server access logs for POST requests to OfficeServer.php, e.g.:
- grep 'POST /OfficeServer.php' /var/log/apache2/access.log
- Check for recently created or modified PHP files in the Document directory, e.g.:
- find /path/to/Document -name '*.php' -mtime -7
- Use network monitoring tools to detect multipart POST requests with suspicious content types targeting OfficeServer.php.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Weaver E-office system to version 10.0_20221201 or later, which contains the fix for this vulnerability.
If an update is not immediately possible, restrict access to the OfficeServer.php endpoint to trusted IP addresses or through firewall rules to prevent unauthorized file uploads.
Additionally, monitor and remove any suspicious PHP files in the Document directory and review server logs for signs of exploitation.
Applying security patches and following vendor recommendations is critical to prevent remote code execution attacks.