Remote Code Execution in Feng Office 3.7.0.5 by Unauthorized Users
CVE-2019-9623

9.8CRITICAL

Key Information:

Vendor: Fengoffice
Status: Feng Office
Vendor: CVE Published:; 7 March 2019

What is CVE-2019-9623?

Feng Office 3.7.0.5 has a vulnerability that allows remote attackers to execute arbitrary code through crafted SHTML files. By exploiting the vulnerable ck_upload_handler.php file, malicious users can gain unauthorized access to the server and execute commands, leading to potentially severe impacts on the integrity and security of the affected system. It is crucial for users of this platform to apply patches and implement security measures to mitigate this risk.

References

https://www.exploit-db.com/exploits/46471

exploitx_refsource_EXPLOIT-DB

https://pentest.com.tr/exploits/Feng-Office-3-7-0-5-Unaut...

x_refsource_MISC

EPSS Score

19% chance of being exploited in the next 30 days.

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Mar 7, 2019
Vulnerability Reserved
Mar 6, 2019

Fengoffice

What is CVE-2019-9623?

References

EPSS Score

CVSS V3.1

Timeline