Login Sign Up

CVE-2023-42335

8.8 HIGH
Remote Code Execution

📋 TL;DR

An unrestricted file upload vulnerability in Fl3xx Dispatch and Crew versions 2.10.37 allows remote attackers to upload malicious files via the add attachment function in the New Expense component. This can lead to arbitrary code execution on the server. All users running the vulnerable versions are affected.

💻 Affected Systems

Products:
  • Fl3xx Dispatch
  • Fl3xx Crew
Versions: 2.10.37
Operating Systems: iOS, Server platforms running Fl3xx
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in both mobile and server components; exploitation typically targets the server backend.

📦 What is this software?

Crew by Fl3xx

View all CVEs affecting Crew →

Dispatch by Fl3xx

View all CVEs affecting Dispatch →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full server compromise leading to data theft, lateral movement, ransomware deployment, or complete system takeover.

🟠

Likely Case

Webshell deployment allowing persistent access, data exfiltration, or use as a foothold for further attacks.

🟢

If Mitigated

File uploads blocked or sanitized, preventing malicious file execution while maintaining legitimate functionality.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access to the New Expense component; detailed write-up available in references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Versions after 2.10.37

Vendor Advisory: Not publicly documented in vendor advisory

Restart Required: Yes

Instructions:

1. Update Fl3xx Dispatch and Crew to latest version. 2. Restart application services. 3. Verify file upload restrictions are enforced.

🔧 Temporary Workarounds

Implement File Upload Restrictions

all

Configure web server or application to restrict file uploads to specific extensions and validate file content.

Disable New Expense Attachment Feature

all

Temporarily disable the vulnerable add attachment function until patching is complete.

🧯 If You Can't Patch

  • Implement strict file upload validation at the web application firewall (WAF) level.
  • Isolate affected systems from critical network segments and monitor for suspicious file uploads.

🔍 How to Verify

Check if Vulnerable:

Check application version in settings; if running 2.10.37, test file upload with malicious extensions.

Check Version:

Check application version in Fl3xx admin panel or configuration files.

Verify Fix Applied:

After update, attempt to upload a file with executable extension; it should be blocked or sanitized.

📡 Detection & Monitoring

Log Indicators:

  • Unusual file uploads with executable extensions (e.g., .php, .jsp, .exe)
  • Multiple failed upload attempts from single user

Network Indicators:

  • HTTP POST requests to attachment upload endpoints with suspicious file types

SIEM Query:

source="web_logs" AND (url_path="/new_expense/attachment" OR file_extension IN ("php", "jsp", "exe"))

📊 Metadata

CVE ID: CVE-2023-42335
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Published: September 20, 2023
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-42335, you might also want to check these:

CVE-2024-52490 10.0

This vulnerability allows attackers to upload arbitrary files, including web shells, to Pathomation ...

Same vulnerability type (CWE-434)
CVE-2024-43160 10.0

CVE-2024-43160 is an unauthenticated arbitrary file upload vulnerability in the BerqWP WordPress plu...

Same vulnerability type (CWE-434)
CVE-2024-8940 10.0

CVE-2024-8940 is a critical unrestricted file upload vulnerability in Scriptcase version 9.4.019 tha...

Same vulnerability type (CWE-434)