Dreammaker
Monthly
Absolute Path Traversal in DreamMaker (developed by Interinfo) allows unauthenticated remote attackers to enumerate file names under arbitrary filesystem paths on the host. The vulnerability stems from CWE-36 (Absolute Path Traversal) and is exploitable over the network without any credentials or user interaction, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). Confidentiality impact is limited to file name disclosure rather than full file content retrieval, per the VC:L scoring. No public exploit code or CISA KEV listing has been identified at time of analysis.
Arbitrary file read in Interinfo's DreamMaker application allows privileged attackers to traverse relative path boundaries and download arbitrary system files. The vulnerability stems from insufficient path normalization in a file download or retrieval function, enabling exfiltration of sensitive system content without modifying or disrupting the target. No public exploit code has been identified at time of analysis, and the requirement for high privileges (PR:H per CVSS 4.0) materially limits the attacker pool.
Arbitrary file read in Interinfo DreamMaker allows remote unauthenticated attackers to retrieve sensitive system files by abusing a relative path traversal flaw in the application's file-handling logic. The issue is rated CVSS 4.0 8.7 (High) due to network exploitability with no privileges or user interaction, though impact is confined to confidentiality. No public exploit identified at time of analysis, and the disclosure was coordinated through TWCERT (Taiwan's national CERT).
Arbitrary file upload in Interinfo DreamMaker allows authenticated high-privilege remote attackers to upload web shell backdoors and achieve arbitrary code execution on the underlying server. The flaw carries a CVSS 4.0 score of 8.6 and was reported via TWCERT, with no public exploit identified at time of analysis. Despite the high privilege requirement, the network-reachable vector and full CIA impact on the host make this a meaningful post-authentication compromise primitive.
Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.
Absolute Path Traversal in DreamMaker (developed by Interinfo) allows unauthenticated remote attackers to enumerate file names under arbitrary filesystem paths on the host. The vulnerability stems from CWE-36 (Absolute Path Traversal) and is exploitable over the network without any credentials or user interaction, as confirmed by the CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N). Confidentiality impact is limited to file name disclosure rather than full file content retrieval, per the VC:L scoring. No public exploit code or CISA KEV listing has been identified at time of analysis.
Arbitrary file read in Interinfo's DreamMaker application allows privileged attackers to traverse relative path boundaries and download arbitrary system files. The vulnerability stems from insufficient path normalization in a file download or retrieval function, enabling exfiltration of sensitive system content without modifying or disrupting the target. No public exploit code has been identified at time of analysis, and the requirement for high privileges (PR:H per CVSS 4.0) materially limits the attacker pool.
Arbitrary file read in Interinfo DreamMaker allows remote unauthenticated attackers to retrieve sensitive system files by abusing a relative path traversal flaw in the application's file-handling logic. The issue is rated CVSS 4.0 8.7 (High) due to network exploitability with no privileges or user interaction, though impact is confined to confidentiality. No public exploit identified at time of analysis, and the disclosure was coordinated through TWCERT (Taiwan's national CERT).
Arbitrary file upload in Interinfo DreamMaker allows authenticated high-privilege remote attackers to upload web shell backdoors and achieve arbitrary code execution on the underlying server. The flaw carries a CVSS 4.0 score of 8.6 and was reported via TWCERT, with no public exploit identified at time of analysis. Despite the high privilege requirement, the network-reachable vector and full CIA impact on the host make this a meaningful post-authentication compromise primitive.
Unauthenticated arbitrary file upload in Interinfo DreamMaker allows remote attackers to upload web shell backdoors and execute arbitrary code on the server, scoring CVSS 4.0 9.3 (Critical). No public exploit identified at time of analysis, but the combination of no authentication, low attack complexity, and complete CIA impact makes this a high-priority issue. TWCERT (Taiwan's national CERT) is the reporting source, indicating regional advisory coordination.