SQL Injection Vulnerability in DigiWin .NET Allows Unauthorized Access to Database Records and System Commands
CVE-2024-4893

9.8CRITICAL

Key Information:

Vendor: Digiwin
Status: Easyflow .net
Vendor: CVE Published:; 15 May 2024

What is CVE-2024-4893?

The vulnerability present in DigiWin EasyFlow .NET arises from a lack of proper validation for specific input parameters. This oversight permits remote attackers to inject arbitrary SQL commands into the application. As a result, these unauthorized individuals can gain access to sensitive database records, jeopardizing data integrity and potentially allowing for data manipulation or deletion. Furthermore, the exploit can extend to executing system commands, amplifying the risk of server compromise. Users of this application must prioritize security measures to mitigate the risks associated with this vulnerability.

Affected Version(s)

EasyFlow .NET 3.x

EasyFlow .NET 5.x

EasyFlow .NET 6.1.x

References

https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html

third-party-advisory

https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html

third-party-advisory

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2024
Vulnerability Reserved
May 15, 2024

Digiwin

What is CVE-2024-4893?

Affected Version(s)

References

CVSS V3.1

Timeline