Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2024101810100808 | Publication Time | 2024/10/18 10:35 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/10/16 10:35 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】 FormosaSoft Corporation's ee-class contains multiple critical security vulnerabilities |
|||
| [Content] Forwarded from TWCERTCC-200-202410-00000006 On 2024-10-15, TWCERT/CC issued a report regarding critical security vulnerabilities in FormosaSoft Corporation's ee-class: FormosaSoft Corporation ee-class - SQL Injection (TVN-202410010, CVE-2024-9980, CVSS: 8.8) FormosaSoft Corporation's ee-class does not properly validate certain page parameters, allowing remote attackers with general user privileges to inject arbitrary SQL commands to read, modify, and delete database contents. FormosaSoft Corporation ee-class - Local File Inclusion (TVN-202410011, CVE-2024-9981, CVSS: 8.8) FormosaSoft Corporation's ee-class does not properly validate certain page parameters, allowing remote attackers with general user privileges to upload malicious PHP files. These files can then be executed on the server by exploiting this vulnerability, allowing the attacker to run arbitrary code. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] Versions of ee-class prior to 20240326.13r14494 (exclusive) |
|||
| [Recommended Actions] Update to version 20240326.13r14494 (inclusive) or later. |
|||
| [Reference] 1.FormosaSoft Corporation ee-class - SQL Injection: https://www.twcert.org.tw/tw/cp-132-8142-cf0d3-1.html 2.FormosaSoft Corporation ee-class - Local File Inclusion: https://www.twcert.org.tw/tw/cp-132-8144-2885b-1.html |
|||