E Cology

e-cology

Vendor: Weaver • 11 CVEs

CVEs (11)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2026-22679 1Weaver 1E Cology May 5, 2026 Apr 7, 2026 9.3 CRITICAL· v4 9.8 CRITICAL· v3 N/A· v2 Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arb...Show more Weaver (Fanwei) E-cology 10.0 versions prior to 20260312 contain an unauthenticated remote code execution vulnerability in the /papi/esearch/data/devops/dubboApi/debug/method endpoint that allows attackers to execute arbitrary commands by invoking exposed debug functionality. Attackers can craft POST requests with attacker-controlled interfaceName and methodName parameters to reach command-execution helpers and achieve arbitrary command execution on the system. Exploitation evidence was first observed by the Shadowserver Foundation on 2026-03-31 (UTC).Show less
CVE-2025-34038 1Weaver 1E Cology Jan 27, 2026 Jun 24, 2025 8.7 HIGH· v4 7.5 HIGH· v3 N/A· v2 A SQL injection vulnerability exists in Weaver e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql...Show more A SQL injection vulnerability exists in Weaver e-cology 8.0 via the getdata.jsp endpoint. The application directly passes unsanitized user input from the sql parameter into a database query within the getSelectAllIds(sql, type) method, reachable through the cmd=getSelectAllId workflow in the AjaxManager. This allows unauthenticated attackers to execute arbitrary SQL queries, potentially exposing sensitive data such as administrator password hashes. Exploitation evidence was observed by the Shadowserver Foundation on 2025-02-05 UTC.Show less
CVE-2024-48072 1Weaver 1E Cology Jun 5, 2025 Nov 19, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 Weaver Ecology v9.* was discovered to contain a SQL injection vulnerability via the component /mobilemode/Action.jsp?invoker=com.weaver.formmodel.mobile.mec.servlet.MECAction&action=getFieldTriggerValue&searchField=&fro...Show more Weaver Ecology v9. was discovered to contain a SQL injection vulnerability via the component /mobilemode/Action.jsp?invoker=com.weaver.formmodel.mobile.mec.servlet.MECAction&action=getFieldTriggerValue&searchField=*&fromTable=HrmResourceManager&whereClause=1%3d1&triggerCondition=1&expression=%3d&fieldValue=1.Show less
CVE-2024-48070 1Weaver 1E Cology Jun 5, 2025 Nov 19, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in Weaver E-cology v. attackers construct special requests to insert remote malicious code and to trigger malicious code execution, and control server privileges
CVE-2024-48069 1Weaver 1E Cology Jun 5, 2025 Nov 19, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 A vulnerability was found in Weaver E-cology allows attackers use race conditions to bypass security mechanisms to upload malicious files and control server privileges
CVE-2024-48071 1Weaver 1E Cology Sep 24, 2025 Nov 19, 2024 N/A· v4 6.5 MEDIUM· v3 N/A· v2 E-cology has a directory traversal vulnerability. An attacker can exploit this vulnerability to delete the server directory, causing the server to permanently deny service.
CVE-2024-7704 1Weaver 1E Cology May 28, 2025 Aug 12, 2024 6.9 MEDIUM· v4 7.5 HIGH· v3 5.0 MEDIUM· v2 A vulnerability was found in Weaver e-cology 8. It has been classified as problematic. Affected is an unknown function of the file /cloudstore/ecode/setup/ecology_dev.zip of the component Source Code Handler. The manipul...Show more A vulnerability was found in Weaver e-cology 8. It has been classified as problematic. Affected is an unknown function of the file /cloudstore/ecode/setup/ecology_dev.zip of the component Source Code Handler. The manipulation leads to information disclosure. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2023-51892 1Weaver 1E Cology May 30, 2025 Jan 20, 2024 N/A· v4 9.8 CRITICAL· v3 N/A· v2 An issue in weaver e-cology v.10.0.2310.01 allows a remote attacker to execute arbitrary code via a crafted script to the FrameworkShellController component.
CVE-2023-3793 1Weaver 1E Cology Nov 21, 2024 Jul 20, 2023 N/A· v4 9.8 CRITICAL· v3 5.2 MEDIUM· v2 A vulnerability was found in Weaver e-cology. It has been rated as critical. This issue affects some unknown processing of the file filelFileDownloadForOutDoc.class of the component HTTP POST Request Handler. The manipul...Show more A vulnerability was found in Weaver e-cology. It has been rated as critical. This issue affects some unknown processing of the file filelFileDownloadForOutDoc.class of the component HTTP POST Request Handler. The manipulation of the argument fileid with the input 1+WAITFOR+DELAY leads to sql injection. Upgrading to version 10.58.0 is able to address this issue. It is recommended to upgrade the affected component. The identifier VDB-235061 was assigned to this vulnerability.Show less
CVE-2023-2806 1Weaver 1E Cology Nov 21, 2024 May 19, 2023 N/A· v4 8.8 HIGH· v3 5.2 MEDIUM· v2 A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity refere...Show more A vulnerability classified as problematic was found in Weaver e-cology up to 9.0. Affected by this vulnerability is the function RequestInfoByXml of the component API. The manipulation leads to xml external entity reference. The associated identifier of this vulnerability is VDB-229411. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2019-10272 1Weaver 1E Cology Nov 21, 2024 Apr 30, 2019 N/A· v4 6.1 MEDIUM· v3 4.3 MEDIUM· v2 An issue was discovered in Weaver e-cology 9.0. There is a CRLF Injection vulnerability via the /workflow/request/ViewRequestForwardSPA.jsp isintervenor parameter, as demonstrated by the %0aSet-cookie: substring.