Enterprise Cloud Database
Monthly
Unrestricted file upload in Ragic Enterprise Cloud Database exposes all versions to unauthenticated remote exploitation, allowing attackers to plant malicious files that are subsequently served to authenticated platform users for download. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application performs no meaningful validation of file type, content, or extension before persisting uploads. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the zero-authentication requirement and network-accessible attack vector make this a low-barrier, high-supply-chain-risk issue in environments where Ragic is used for file collaboration.
Stored XSS in Ragic Enterprise Cloud Database permits unauthenticated remote attackers to inject persistent JavaScript into application data, which then executes in the browsers of any user who loads the affected page. Because the payload is stored server-side, a single injection event affects all subsequent visitors without further attacker interaction. No active exploitation is confirmed in CISA KEV and no public proof-of-concept code has been identified at time of analysis, but the CVSS 4.0 PR:N rating confirms no authentication is needed to plant the payload.
Enterprise Cloud Database from Ragic does not properly validate the file type for uploads. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Enterprise Cloud Database from Ragic does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Unrestricted file upload in Ragic Enterprise Cloud Database exposes all versions to unauthenticated remote exploitation, allowing attackers to plant malicious files that are subsequently served to authenticated platform users for download. The root cause is CWE-434 (Unrestricted Upload of File with Dangerous Type), meaning the application performs no meaningful validation of file type, content, or extension before persisting uploads. No public exploit has been identified at time of analysis, and no CISA KEV listing is present, but the zero-authentication requirement and network-accessible attack vector make this a low-barrier, high-supply-chain-risk issue in environments where Ragic is used for file collaboration.
Stored XSS in Ragic Enterprise Cloud Database permits unauthenticated remote attackers to inject persistent JavaScript into application data, which then executes in the browsers of any user who loads the affected page. Because the payload is stored server-side, a single injection event affects all subsequent visitors without further attacker interaction. No active exploitation is confirmed in CISA KEV and no public proof-of-concept code has been identified at time of analysis, but the CVSS 4.0 PR:N rating confirms no authentication is needed to plant the payload.
Enterprise Cloud Database from Ragic does not properly validate the file type for uploads. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Enterprise Cloud Database from Ragic does not authenticate access to specific functionality, allowing unauthenticated remote attackers to use this functionality to obtain any user's session cookie. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Enterprise Cloud Database from Ragic does not properly validate a specific page parameter, allowing unauthenticated remote attackers to exploit this vulnerability to read arbitrary system files. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Rogic No-Code Database Builder's file uploading function has insufficient filtering for special characters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.