CVE-2024-4893

CRITICAL

DigiWin EasyFlow .NET - SQL Injection

Title source: llm
STIX 2.1

Description

DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands.

References (2)

Core 2
Core References
Various Sources third-party-advisory
https://www.twcert.org.tw/tw/cp-132-7800-843f1-1.html
Various Sources third-party-advisory
https://www.twcert.org.tw/en/cp-139-7801-67d07-2.html

Scores

CVSS v3 9.8
EPSS 0.0079
EPSS Percentile 51.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (4)
DigiWin/EasyFlow .NET 3.x
DigiWin/EasyFlow .NET 5.x
DigiWin/EasyFlow .NET 6.1.x
DigiWin/EasyFlow .NET 6.6.x - v6.6.15
Published May 15, 2024
Tracked Since Feb 18, 2026