go to Content

TWCERT/CC Taiwan Computer Emergency Response Team/Coordination Center


DigiWin EasyFlow .NET - SQL Injection

TVN ID TVN-202405001
CVE ID CVE-2024-4893
CVSS 9.8 (Critical)
Affected Products EasyFlow .NET V3.x,V5.x,V6.1.x,V6.6.x
Description DigiWin EasyFlow .NET lacks validation for certain input parameters, allowing remote attackers to inject arbitrary SQL commands. This vulnerability enables unauthorized access to read, modify, and delete database records, as well as execute system commands.
Solution Install patch for V3.x, V5.x and V6.1.x (released on 2023/12/30 or later).
Update V6.6.x to V6.6.15 or later version.
Credit Huang Yu Ze (CHT Security)
Public Date 2024-05-15