The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify and delete database contents.
Fixes

Solution

Update to version 20240326.13r14494 or later.


Workaround

No workaround given by the vendor.

History

Thu, 17 Oct 2024 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Formosasoft ee-class
CPEs cpe:2.3:a:formosasoft:ee-class:*:*:*:*:*:*:*:*
Vendors & Products Formosasoft ee-class

Tue, 15 Oct 2024 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Formosasoft
Formosasoft ee Class
CPEs cpe:2.3:a:formosasoft:ee_class:*:*:*:*:*:*:*:*
Vendors & Products Formosasoft
Formosasoft ee Class
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 15 Oct 2024 08:00:00 +0000

Type Values Removed Values Added
Description The ee-class from FormosaSoft does not properly validate a specific page parameter, allowing remote attackers with regular privileges to inject arbitrary SQL commands to read, modify and delete database contents.
Title FormosaSoft ee-class - SQL Injection
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2024-10-15T13:56:27.287Z

Reserved: 2024-10-15T06:57:52.213Z

Link: CVE-2024-9980

cve-icon Vulnrichment

Updated: 2024-10-15T13:56:13.913Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-15T08:15:03.163

Modified: 2024-10-17T18:03:34.807

Link: CVE-2024-9980

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.