Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2023-5966 PoC — Unrestricted Upload of File with Dangerous Type in EspoCRM

Source
https://github.com/ll104567/cve-2023-5966
Associated Vulnerability
Title:Unrestricted Upload of File with Dangerous Type in EspoCRM (CVE-2023-5966)
Description:An authenticated privileged attacker could upload a specially crafted zip to the EspoCRM server in version 7.2.5, via the extension deployment form, which could lead to arbitrary PHP code execution.
Readme
# Poc from CVE-2023-5966

[Advisory](https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-espocrm)


EspoCRM 2.7.4 and earlier is vulnerable to an arbitrary file upload that can lead to code execution in the add extension functionality.

The zip file on this repo upload a web shell to /webshell.php
File Snapshot

 [4.0K]  /data/pocs/d21beafa0ab4e88eea8fafe38fb3926807aa743e
├── [ 323]  README.md
└── [1.2K]  Weaponized_Extension.zip

1 directory, 2 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →