【Vulnerability Alert】Multiple Critical Security Vulnerabilities Found in Grand Vice info Webopac
publish date :
2024-11-12
update date :
2024-11-20
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2024111208112121 | Publication Time | 2024/11/12 08:28 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2024/11/11 19:23 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Multiple Critical Security Vulnerabilities Found in Grand Vice info Webopac |
|||
| [Content] Forwarded from TWCERTCC-200-202411-00000001 ● Grand Vice info Webopac SQL Injection (TVN-2024-11001, CVE-2024-11016, CVSS: 9.8) A SQL Injection vulnerability exists in Grand Vice info Webopac, allowing unauthenticated remote attackers to inject arbitrary SQL commands via specific parameters, enabling them to read, modify, or delete database content. ● Grand Vice info Webopac Arbitrary File Upload (TVN-2024-11003, CVE-2024-11018, CVSS: 9.8) Improper file type validation in Grand Vice info Webopac allows unauthenticated remote attackers to upload webshell programs and execute them, enabling arbitrary code execution on the server. ● Grand Vice info Webopac SQL Injection (TVN-2024-11005, CVE-2024-11020, CVSS: 9.8) A SQL Injection vulnerability exists in Grand Vice info Webopac, allowing unauthenticated remote attackers to inject arbitrary SQL commands via specific parameters, enabling them to read, modify, or delete database content. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] ● Webopac 6 ● Webopac 7 |
|||
| [Recommended Actions] ● Update Webopac 6 to version 6.5.1 or later. ● Update Webopac 7 to version 7.2.3 or later. |
|||
| [Reference] 1. https://www.twcert.org.tw/tw/cp-132-8209-bf75d-1.html 2. https://www.twcert.org.tw/tw/cp-132-8213-3413b-1.html 3. https://www.twcert.org.tw/tw/cp-132-8217-05b42-1.html |
|||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
