CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 1CVE-2025-2706 – Digiwin ERP UploadAjaxAPI.ashx unrestricted upload
https://notcve.org/view.php?id=CVE-2025-2706
24 Mar 2025 — A vulnerability classified as critical was found in Digiwin ERP 5.0.1. Affected by this vulnerability is an unknown functionality of the file /Api/TinyMce/UploadAjaxAPI.ashx. The manipulation of the argument File leads to unrestricted upload. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. • https://github.com/Rain1er/report/blob/main/THNlcnBf/RCE_5.md • CWE-284: Improper Access Control CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7837 – SQLi in Firmanet Software's ERP
https://notcve.org/view.php?id=CVE-2024-7837
22 Nov 2024 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Firmanet Software ERP allows SQL Injection.This issue affects ERP: through 22.11.2024. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. • https://www.usom.gov.tr/bildirim/tr-24-1868 • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2020-8967 – GESIO SQL injection vulnerability
https://notcve.org/view.php?id=CVE-2020-8967
01 Jun 2020 — There is an improper Neutralization of Special Elements used in an SQL Command (SQL Injection) vulnerability in php files of GESIO ERP. GESIO ERP all versions prior to 11.2 allows malicious users to retrieve all database information. Se presenta una vulnerabilidad de Neutralización inapropiada de Elementos Especiales usados en un comando SQL (SQL Injection) en los archivos php de GESIO ERP. GESIO ERP todas las versiones anteriores a 11.2, permite a usuarios maliciosos recuperar toda la información de la bas... • https://www.incibe-cert.es/en/early-warning/security-advisories/gesio-sql-injection-vulnerability • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •