CVE-2024-9981

EPSS 3.9%
Veröffentlicht 15.10.2024 08:15:03
Zuletzt bearbeitet 17.10.2024 18:05:29
Quelle twcert@cert.org.tw
CVE-Watchlists
Login
Unerledigt
Login

The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to upload a malicious PHP file first and then exploit this vulnerability to include the file, resulting in arbitrary code execution on the server.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 2 Referenzen 5

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Formosasoft ≫ Ee-class Version < 2024-03-26

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	3.9%	0.878

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
twcert@cert.org.tw	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.

https://www.twcert.org.tw/en/cp-139-8145-15bea-2.html

Third Party Advisory

https://www.twcert.org.tw/tw/cp-132-8144-2885b-1.html

Third Party Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-9981

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-9981

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-9981

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-9981