Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025031810030000 | Publication Time | 2025/03/18 10:21 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/03/18 10:21 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Two Critical Vulnerabilities in E-EXCELLENCE U-Office Force |
|||
| [Content] Forwarded from TWCERTCC-200-202503-00000005 [E-EXCELLENCE U-Office Force - Improper Authentication] (TVN-202503002, CVE-2025-2395, CVSS: 9.8) E-EXCELLENCE U-Office Force has an Improper Authentication vulnerability. A remote attacker without authentication can manipulate cookies when interacting with specific APIs, allowing them to log in as an administrator. [E-EXCELLENCE U-Office Force - Arbitrary File Upload] (TVN-202503003, CVE-2025-2396, CVSS: 8.8) E-EXCELLENCE U-Office Force has an Arbitrary File Upload vulnerability. A remote attacker with standard user privileges can upload and execute a web shell (backdoor), enabling arbitrary code execution on the server. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] U-Office Force Versions earlier than 28.0 |
|||
| [Recommended Actions] Users should update U-Office Force to version 28.0 or later as soon as possible to mitigate these vulnerabilities. |
|||
| [Reference] E-EXCELLENCE U-Office Force - Improper Authentication: https://www.twcert.org.tw/tw/cp-132-10011-3de72-1.html E-EXCELLENCE U-Office Force - Arbitrary File Upload: https://www.twcert.org.tw/tw/cp-132-10013-0d371-1.html |
|||