VYPR
← All advisories
Unrated severityNVD Advisory· Published May 12, 2023· Updated Jan 24, 2025

CVE-2023-30330

CVE-2023-30330

Description

Authenticated Local File Inclusion in SoftExpert Excellence Suite 2.x before 2.1.3 allows reading arbitrary files and can lead to Remote Code Execution via log poisoning.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authenticated Local File Inclusion in SoftExpert Excellence Suite 2.x before 2.1.3 allows reading arbitrary files and can lead to Remote Code Execution via log poisoning.

Vulnerability

The vulnerability exists in the function /se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php in SoftExpert Excellence Suite versions 2.x before 2.1.3. The PHP script uses require_once() to include a file specified via the managerPath parameter in a POST request, expecting a base64-encoded path to a .inc file. However, by providing a base64-encoded path to any file (e.g., C:\windows\win.ini), an attacker can read arbitrary files on the server. The vulnerability requires authentication. [1][2]

Exploitation

An authenticated attacker sends a POST request to the vulnerable endpoint with a base64-encoded file path in the managerPath parameter. The script includes the file via require_once(), allowing the attacker to read the contents of any file readable by the web server. Furthermore, the attacker can escalate to Remote Code Execution by poisoning PHP error logs. By uploading a malicious image (which triggers an error) and injecting PHP code into the Referer header, the attacker can write PHP code into the error log. Then, by including that log file via the same LFI, the PHP code is executed. [1][2]

Impact

Successful exploitation allows an authenticated attacker to read arbitrary files on the server (Local File Inclusion) and, through log poisoning, achieve Remote Code Execution with the privileges of the web server. This can lead to full compromise of the application and underlying system. [1][2]

Mitigation

The vendor released version 2.1.3 which fixes the vulnerability. Users should upgrade to SoftExpert Excellence Suite 2.1.3 or later. No workarounds are documented. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. [1][2]

References
  1. OffSec’s Exploit Database Archive
  2. GitHub - Filiplain/LFI-to-RCE-SE-Suite-2.0: Authenticated Local File Inclusion to Remote Code Execution on SoftExpert Suite EQM.

AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The PHP function `require_once()` in `defaultframe_filter.php` unsafely includes a file path supplied via the `managerPath` POST parameter without proper validation, allowing an attacker to include arbitrary files from the filesystem."

Attack vector

An authenticated attacker sends a POST request to `/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php` with a base64-encoded file path in the `managerPath` parameter [ref_id=1]. The `require_once()` call includes the decoded file, enabling Local File Inclusion. By targeting PHP error logs and injecting PHP code into the `Referer` header during a malicious profile-picture upload via `user_action.php`, the attacker achieves Remote Code Execution through log poisoning [ref_id=1].

Affected code

The vulnerable function is located at `/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php` [ref_id=1]. This PHP file uses `require_once()` to include a file whose path is supplied via the `managerPath` POST parameter in base64-encoded format [ref_id=1]. The log-poisoning attack vector involves the `user_action.php` function used during profile-picture uploads [ref_id=1].

What the fix does

The advisory states that SE Suite versions before 2.1.3 are affected, implying the fix was released in version 2.1.3 [ref_id=1]. No patch diff is provided in the bundle. The remediation would require the application to validate and sanitize the `managerPath` parameter, restrict inclusion to an allowed whitelist of files, and avoid passing user-controlled input directly to `require_once()`.

Preconditions

  • authAttacker must be authenticated to the SoftExpert Excellence Suite application.
  • networkAttacker must be able to send POST requests to the vulnerable endpoint.
  • configPHP error logging must be enabled for the log poisoning RCE path.

Reproduction

The researcher provides a PoC directory at https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0/tree/main/PoC [ref_id=1]. Reproduction steps: (1) Send a POST request to `defaultframe_filter.php` with a base64-encoded path (e.g., `QzpcXHdpbmRvd3Ncd2luLmluaQ==` for `C:\windows\win.ini`) in the `managerPath` parameter to read arbitrary `.inc` files [ref_id=1]. (2) For RCE, upload a malicious image via `user_action.php` while injecting PHP code into the `Referer` header, then include the poisoned error log via the same LFI endpoint to execute commands [ref_id=1].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.