Easyflow Net
Monthly
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.
Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers to inject persistent JavaScript that executes in other users' browsers on page load. The CVSS 4.0 vector (PR:L/UI:P/SC:L/SI:L) confirms the attacker requires a valid low-privilege account to plant the payload, while victims trigger execution passively by navigating to affected pages - including administrators who may have elevated session privileges worth hijacking. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing real-world risk in the medium tier, concentrated in multi-tenant or shared-user deployments.
SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.
Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.
Stored Cross-Site Scripting in Digiwin's EasyFlow .NET workflow platform enables authenticated low-privilege attackers to inject persistent JavaScript that executes in other users' browsers on page load. The CVSS 4.0 vector (PR:L/UI:P/SC:L/SI:L) confirms the attacker requires a valid low-privilege account to plant the payload, while victims trigger execution passively by navigating to affected pages - including administrators who may have elevated session privileges worth hijacking. No public exploit code and no CISA KEV listing have been identified at time of analysis, placing real-world risk in the medium tier, concentrated in multi-tenant or shared-user deployments.
SQL Injection in Digiwin EasyFlow .NET enables unauthenticated remote attackers to execute arbitrary SQL commands against the application database, allowing full compromise of data confidentiality, integrity, and availability. Taiwan CERT (TWCERT) publicly disclosed this critical vulnerability with CVSS 9.3 scoring, indicating network-accessible exploitation requiring no authentication or user interaction. No CISA KEV listing identified at time of analysis, suggesting either limited deployment scope or recent disclosure. EPSS data not provided, but CVSS vector (AV:N/AC:L/PR:N/UI:N) indicates trivial exploitation if product is internet-facing.
Critical SQL injection in Digiwin EasyFlow .NET allows unauthenticated remote attackers to execute arbitrary SQL commands against the application database. With maximum CVSS 4.0 score of 9.3 and network-accessible attack vector requiring no privileges or user interaction, this vulnerability enables complete database compromise. Taiwan CERT reported this issue, indicating regional targeting or discovery. No active exploitation confirmed in CISA KEV at time of analysis, but the combination of trivial exploitation conditions and catastrophic impact warrants immediate priority.
Digiwin EasyFlow .NET lacks proper access control for specific functionality, and the functionality do not adequately filter user input. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.