An issue in weaver e-cology v.10.0.2310.01 allows a remote attacker to execute arbitrary code via a crafted script to the FrameworkShellController component.
An attacker sends a specially crafted script to the FrameworkShellController component in the Weaver E-Cology application. This component processes the submitted data in an unsafe manner, resulting in execution of the delivered code on the server side. The attack requires no authentication or user interaction, and the network vector means it can be conducted remotely over the Internet.
An attacker can gain full control over the server — in terms of confidentiality, integrity, and availability of data and the system. System takeover, data theft, malicious software installation, or further lateral movement within the organization's network is possible.
Apply patches available from the manufacturer according to the references. The manufacturer is available at weaver.com.cn. Until the update is deployed, it is recommended to restrict access to the FrameworkShellController component at the firewall or reverse proxy level and isolate the system from the public Internet.
Weaver E-Cology version 10.0.2310.01
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWeaver E Cology
APPWeaver10.0.2310.01
Related vulnerabilities
Nieuwierzytelniony RCE w Weaver E-Cology przez endpoint DubboAPI debug
SQL Injection w Weaver E-Cology v9 — nieautoryzowany dostęp do bazy danych
Weaver E-Cology: Race Condition umożliwiający upload złośliwych plików i przejęcie serwera
RCE w Weaver E-Cology — zdalne wykonanie kodu przez spreparowane żądanie
A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application dire...