CVE-2024-9981

Published: Oct 15, 2024Modified: Oct 17, 2024

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: NVD

Description

The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to upload a malicious PHP file first and then exploit this vulnerability to include the file, resulting in arbitrary code execution on the server.

Affected (1)

Products: Formosasoft: Ee Class

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Formosasoft Ee Class	Before 2024-03-26

Related CWEs

Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

References (2)

https://www.twcert.org.tw/en/cp-139-8145-15bea-2.html

Source: twcert@cert.org.tw

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-8144-2885b-1.html

Source: twcert@cert.org.tw

Third Party Advisory

Timeline

No history available yet.