CVE-2022-50992

Exploit

EPSS 0.71%
Veröffentlicht 30.04.2026 16:09:06
Zuletzt bearbeitet 30.04.2026 17:19:57
Quelle disclosure@vulncheck.com
CVE-Watchlists
Login
Unerledigt
Login

Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via XmlRpcServlet

Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 9

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

HerstellerWeaver Network Co., Ltd.

≫

Produkt E-cology

Default Statusaffected

Version 0

Version < 10.52

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.71%	0.484

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
disclosure@vulncheck.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
disclosure@vulncheck.com	8.7	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.

https://www.weaver.com.cn/cs/securityDownload.html#

https://www.weaver.com.cn/cs/ecology_full_log.html

https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245

https://blog.csdn.net/qq_36618918/article/details/135104295

https://blog.csdn.net/xiayu729100940/article/details/135205082

https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet

https://nvd.nist.gov/vuln/detail/CVE-2022-50992

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2022-50992

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2022-50992

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2022-50992