Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2024111208112121 | Publication Time | 2024/11/12 08:28 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/11/11 19:23 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Multiple Critical Security Vulnerabilities Found in Grand Vice info Webopac |
|||
| [Content] Forwarded from TWCERTCC-200-202411-00000001 ● Grand Vice info Webopac SQL Injection (TVN-2024-11001, CVE-2024-11016, CVSS: 9.8) A SQL Injection vulnerability exists in Grand Vice info Webopac, allowing unauthenticated remote attackers to inject arbitrary SQL commands via specific parameters, enabling them to read, modify, or delete database content. ● Grand Vice info Webopac Arbitrary File Upload (TVN-2024-11003, CVE-2024-11018, CVSS: 9.8) Improper file type validation in Grand Vice info Webopac allows unauthenticated remote attackers to upload webshell programs and execute them, enabling arbitrary code execution on the server. ● Grand Vice info Webopac SQL Injection (TVN-2024-11005, CVE-2024-11020, CVSS: 9.8) A SQL Injection vulnerability exists in Grand Vice info Webopac, allowing unauthenticated remote attackers to inject arbitrary SQL commands via specific parameters, enabling them to read, modify, or delete database content. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] ● Webopac 6 ● Webopac 7 |
|||
| [Recommended Actions] ● Update Webopac 6 to version 6.5.1 or later. ● Update Webopac 7 to version 7.2.3 or later. |
|||
| [Reference] 1. https://www.twcert.org.tw/tw/cp-132-8209-bf75d-1.html 2. https://www.twcert.org.tw/tw/cp-132-8213-3413b-1.html 3. https://www.twcert.org.tw/tw/cp-132-8217-05b42-1.html |
|||