漏洞信息
尽管我们使用了先进的大模型技术,但其输出仍可能包含不准确或过时的信息。神龙努力确保数据的准确性,但请您根据实际情况进行核实和判断。
Vulnerability Title
Weaver E-cology 9.5 Unauthenticated Arbitrary File Read via XmlRpcServlet
Vulnerability Description
Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC).
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Vulnerability Title
Weaver E-cology 路径遍历漏洞
Vulnerability Description
Weaver E-cology是中国泛微(Weaver)公司的一个协同管理平台。 Weaver E-cology 9.5 10.52之前版本存在路径遍历漏洞,该漏洞源于XmlRpcServlet接口的XML-RPC端点存在任意文件读取漏洞,允许未经身份验证的远程攻击者通过向WorkflowService.getAttachment和WorkflowService.LoadTemplateProp方法提供文件路径来读取任意文件,包括系统配置文件和数据库凭据。
CVSS Information
N/A
Vulnerability Type
N/A