Easy7 Integrated Management Platform
Monthly
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. No patch has been released despite early vendor notification.
An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/file/uploadLedImage endpoint. This vulnerability allows remote attackers without authentication to upload arbitrary files, potentially leading to remote code execution. A proof-of-concept exploit has been publicly released and the vendor has not responded to disclosure attempts, leaving this vulnerability unpatched and actively exploitable.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler component that allows unauthenticated remote attackers to manipulate username and password parameters via the /WebService/UpdateLocalDevInfo.jsp endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
SQL injection in Tiandy Easy7 Integrated Management Platform versions up to 7.17.0 allows unauthenticated remote attackers to manipulate the ID parameter in the /rest/preSetTemplate/getRecByTemplateId endpoint, potentially enabling unauthorized data access, modification, or service disruption. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an SQL injection vulnerability in the /rest/devStatus/getDevDetailedInfo endpoint that allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. The vulnerability enables unauthorized access to, modification of, and disruption of sensitive data, with public exploit code already available. No patch has been released despite early vendor notification.
An unrestricted file upload vulnerability exists in the Tiandy Easy7 Integrated Management Platform version 7.17.0, specifically in the /rest/file/uploadLedImage endpoint. This vulnerability allows remote attackers without authentication to upload arbitrary files, potentially leading to remote code execution. A proof-of-concept exploit has been publicly released and the vendor has not responded to disclosure attempts, leaving this vulnerability unpatched and actively exploitable.
Tiandy Easy7 Integrated Management Platform 7.17.0 contains an authentication bypass in the Device Identifier Handler component that allows unauthenticated remote attackers to manipulate username and password parameters via the /WebService/UpdateLocalDevInfo.jsp endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.