CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11021 – Grand Vice info Webopac - Stored XSS
https://notcve.org/view.php?id=CVE-2024-11021
Webopac from Grand Vice info has Stored Cross-site Scripting vulnerability. Remote attackers with regular privileges can inject arbitrary JavaScript code into the server. When users visit the compromised page, the code is automatically executed in their browser. • https://www.twcert.org.tw/en/cp-139-8220-e75c2-2.html https://www.twcert.org.tw/tw/cp-132-8219-f12d0-1.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11018 – Grand Vice info Webopac - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11018
Webopac from Grand Vice info does not properly validate uploaded file types, allowing unauthenticated remote attackers to upload and execute webshells, which could lead to arbitrary code execution on the server. • https://www.twcert.org.tw/en/cp-139-8214-64fa2-2.html https://www.twcert.org.tw/tw/cp-132-8213-3413b-1.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 8.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11017 – Grand Vice info Webopac - Arbitrary File Upload
https://notcve.org/view.php?id=CVE-2024-11017
Webopac from Grand Vice info does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells, which could lead to arbitrary code execution on the server. • https://www.twcert.org.tw/en/cp-139-8212-a7d3a-2.html https://www.twcert.org.tw/tw/cp-132-8211-a2da2-1.html • CWE-434: Unrestricted Upload of File with Dangerous Type •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2024-11016 – Grand Vice info Webopac - SQL Injection
https://notcve.org/view.php?id=CVE-2024-11016
Webopac from Grand Vice info has a SQL Injection vulnerability, allowing unauthenticated remote attacks to inject arbitrary SQL commands to read, modify, and delete database contents. • https://www.twcert.org.tw/en/cp-139-8210-46322-2.html https://www.twcert.org.tw/tw/cp-132-8209-bf75d-1.html • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •