CVE-2024-5311

CRITICAL

DigiWin EasyFlow .NET - SQL Injection

Title source: llm
STIX 2.1

Description

DigiWin EasyFlow .NET lacks validation for certain input parameters. An unauthenticated remote attacker can inject arbitrary SQL commands to read, modify, and delete database records.

References (1)

Core 1
Core References
Various Sources third-party-advisory
https://www.twcert.org.tw/tw/cp-132-7844-52dad-1.html

Scores

CVSS v3 9.8
EPSS 0.0063
EPSS Percentile 45.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-89
Status published
Products (3)
DigiWin/EasyFlow .NET 5.x
DigiWin/EasyFlow .NET 6.1.x
DigiWin/EasyFlow .NET 6.6.x - 6.6.16
Published Jun 03, 2024
Tracked Since Feb 18, 2026