CVE-2023-36348 – POS Codekop v2.0 contains an authenticated remo... (How to Fix)

Q: What is the severity of CVE-2023-36348?

CVE-2023-36348 has a CVSS score of 8.8 (HIGH). POS Codekop v2.0 contains an authenticated remote code execution vulnerability via the filename parameter. This allows authenticated attackers to upload malicious files and execute arbitrary code on the server. Organizations using POS Codekop v2.0 are affected.

📋 TL;DR

POS Codekop v2.0 contains an authenticated remote code execution vulnerability via the filename parameter. This allows authenticated attackers to upload malicious files and execute arbitrary code on the server. Organizations using POS Codekop v2.0 are affected.

💻 Affected Systems

Products:

POS Codekop

Versions: v2.0

Operating Systems: Any OS running POS Codekop

Default Config Vulnerable: ⚠️ Yes

Notes: Requires authenticated access to exploit.

📦 What is this software?

Codekop by Codekop

View all CVEs affecting Codekop →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise, data theft, ransomware deployment, and lateral movement within the network.

🟠

Likely Case

Webshell installation leading to data exfiltration, credential harvesting, and persistence on the compromised system.

🟢

If Mitigated

Limited impact due to network segmentation, strict file upload validation, and minimal user privileges.

🌐 Internet-Facing: HIGH

🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: CONFIRMED

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploit code and demonstration videos are publicly available.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None known

Restart Required: No

Instructions:

No official patch available. Consider upgrading to a newer version if available or implementing workarounds.

🔧 Temporary Workarounds

Implement File Upload Validation

all

Restrict file uploads to specific extensions and validate file content.

Web Application Firewall (WAF) Rules

all

Deploy WAF rules to block malicious file upload attempts.

🧯 If You Can't Patch

Isolate the POS Codekop system from critical network segments.
Implement strict access controls and monitor for unusual file upload activities.

🔍 How to Verify

Check if Vulnerable:

Check if running POS Codekop v2.0 and test authenticated file upload with malicious filenames.

Check Version:

Check application configuration or documentation for version information.

Verify Fix Applied:

Test file upload functionality to ensure only allowed extensions are accepted.

📡 Detection & Monitoring

Log Indicators:

Unusual file uploads with executable extensions
Multiple failed upload attempts

Network Indicators:

HTTP POST requests to upload endpoints with suspicious filenames

SIEM Query:

source="web_logs" AND (url_path="/upload" OR filename="*.php" OR filename="*.jsp")

📊 Metadata

CVE ID: CVE-2023-36348

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-862

Published: June 23, 2023

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/173278/POS-Codekop-2.0-Shell-Upload.html
https://www.youtube.com/watch?v=Ge0zqY0sGiQ Exploit,Third Party Advisory
https://yuyudhn.github.io/pos-codekop-vulnerability/ Exploit,Third Party Advisory
http://packetstormsecurity.com/files/173278/POS-Codekop-2.0-Shell-Upload.html
https://www.youtube.com/watch?v=Ge0zqY0sGiQ Exploit,Third Party Advisory
https://yuyudhn.github.io/pos-codekop-vulnerability/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-36348, you might also want to check these: