CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2706 – Digiwin ERP UploadAjaxAPI.ashx unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2706
24 Mar 2025 — A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_5.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2705 – Digiwin ERP FileUploadApi.ashx DoWebUpload unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2705
24 Mar 2025 — A vulnerability classified as critical has been found in Digiwin ERP 5.1. Affected is the function DoUpload/DoWebUpload of the file /Api/FileUploadApi.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_3.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •