CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2706 – Digiwin ERP UploadAjaxAPI.ashx unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2706
24 Mar 2025 — A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_5.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2705 – Digiwin ERP FileUploadApi.ashx DoWebUpload unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2705
24 Mar 2025 — A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_3.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7323 – Digiwin EasyFlow .NET - Arbitrary File Download
https://notcve.org/view.php?id=CVE-2024-7323
02 Aug 2024 — Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. A remote attacker with regular privilege can exploit this vulnerability to download arbitrary files from the remote server . • https://www.twcert.org.tw/tw/cp-132-7989-9c4ea-1.html • CWE-36: Absolute Path Traversal •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-5311 – DigiWin EasyFlow .NET - SQL Injection
https://notcve.org/view.php?id=CVE-2024-5311
03 Jun 2024 — DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records. DigiWin EasyFlow .NET carece de validación para ciertos parámetros de entrada. Un atacante remoto no autenticado puede inyectar comandos SQL arbitrarios para leer, modificar y eliminar registros de bases de datos. • https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-4893 – DigiWin EasyFlow .NET - SQL Injection
https://notcve.org/view.php?id=CVE-2024-4893
15 May 2024 — DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands. DigiWin EasyFlow .NET carece de validación para ciertos parámetros de entrada, lo que permite a atacantes remotos inyectar comandos SQL arbitrarios. Esta vulnerabilidad permite el acceso no autorizado para leer, modificar y eliminar registros de bases de... • https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32458 – Data Systems Consulting Co., Ltd. BPM - XML External Entity (XXE) Injection
https://notcve.org/view.php?id=CVE-2022-32458
20 Jul 2022 — Digiwin BPM has a XML External Entity Injection (XXE) vulnerability due to insufficient validation for user input. An unauthenticated remote attacker can perform XML injection attack to access arbitrary system files. Digiwin BPM presenta una vulnerabilidad de Inyección de tipo XML External Entity Injection (XXE) debido a que no es comprobado suficientemente la entrada del usuario. Un atacante remoto no autenticado puede llevar a cabo un ataque de inyección XML para acceder a archivos arbitrarios del sistema • https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb • CWE-611: Improper Restriction of XML External Entity Reference •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32457 – Data Systems Consulting Co., Ltd. BPM - Blind Server-Side Request Forgery (SSRF)
https://notcve.org/view.php?id=CVE-2022-32457
20 Jul 2022 — Digiwin BPM has inadequate filtering for URL parameter. An unauthenticated remote attacker can perform Blind SSRF attack to discover internal network topology base on URL error response. Digiwin BPM presenta un filtrado inapropiado para el parámetro URL. Un atacante remoto no autenticado puede llevar a cabo un ataque de tipo SSRF ciego para detectar la topología de la red interna basándose en la respuesta de error de la URL • https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb • CWE-918: Server-Side Request Forgery (SSRF) •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-32456 – Data Systems Consulting Co., Ltd. BPM - SQL Injection
https://notcve.org/view.php?id=CVE-2022-32456
20 Jul 2022 — Digiwin BPM’s function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL command to access, modify, delete database or disrupt service. La función de Digiwin BPM no comprueba suficientemente las entradas del usuario. Un atacante remoto no autenticado puede inyectar un comando SQL arbitrario para acceder, modificar, eliminar la base de datos o interrumpir el servicio • https://www.chtsecurity.com/news/09757883-fea6-4aff-9e22-8ae8c4f8f7bb • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •