【Vulnerability Alert】Multiple Critical Security Vulnerabilities Found in airPASS by NetVision Information
publish date :
2025-01-17
update date :
2025-01-17
Source: Ministry of education information & communication security contingency platform
| Publication Number | TACERT-ANA-2025011603013434 | Publication Time | 2025/01/16 15:21 |
| Incident Type | ANA-Vulnerability Alert | Discovery Time | 2025/01/16 15:21 |
| Impact Level | Medium | ||
| [Subject] 【Vulnerability Alert】Multiple Critical Security Vulnerabilities Found in airPASS by NetVision Information |
|||
| [Content] Forwarded from TWCERTCC-200-202501-00000002 [airPASS - SQL Injection](TVN-202501001, CVE-2025-0455, CVSS: 9.8) A SQL Injection vulnerability exists in airPASS. Unauthenticated remote attackers can inject arbitrary SQL commands through specific parameters, enabling them to read, modify, and delete database content. [airPASS - Missing Authentication] (TVN-202501002, CVE-2025-0456, CVSS: 9.8) A Missing Authentication vulnerability exists in airPASS, allowing unauthenticated remote attackers to access certain administrative functionalities and retrieve the full list of user account credentials. [airPASS - OS Command Injection] (TVN-202501003, CVE-2025-0457, CVSS: 8.8) An OS Command Injection vulnerability exists in airPASS, enabling remote attackers with basic user permissions to inject and execute arbitrary OS commands. Information Sharing Level: WHITE (Information content can be publicly disclosed) |
|||
| [Affected Platform] ●airPASS v2.9.0.x ●airPASS v3.0.0.x |
|||
| [Recommended Actions] 1.For v2.9.0.x: Update to version 2.9.0.241231 or later. 2.For v3.0.0.x: Update to version 3.0.0.241231 or later. 3.Contact resellers or the original vendor for further assistance. |
|||
| [Reference] 1. airPASS - SQL injection https://www.twcert.org.tw/tw/cp-132-8357-28308-1.html 2. airPASS - Missing Authentication https://www.twcert.org.tw/tw/cp-132-8359-53aa7-1.html 3.airPASS - OS Command Injection https://www.twcert.org.tw/tw/cp-132-8361-ff3fb-1.html |
|||
(This notification is for informational purposes only and does not constitute a cybersecurity incident).
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
If you have questions or suggestions regarding this notification, please feel free to contact us.
Ministry of education information & communication security contingency platform
Website: https://info.cert.tanet.edu.tw/
Phone: +886-7-5250211
Internet Phone: 98400000
E-Mail: service@cert.tanet.edu.tw
Organizer:
Computer Center
