CRITICAL🇵🇱 Wersja polska

CVE-2024-48069

CVSS 9.8v3.1pub. 2024-11-19upd. 2025-06-05

A vulnerability was found in Weaver E-cology allows attackers use race conditions to bypass security mechanisms to upload malicious files and control server privileges

🤖 AI Analysis
How it works

The vulnerability (CWE-362) consists of a time-of-check-time-of-use race condition in the access control mechanism during file upload. An attacker can win this race and upload a malicious file before the system has time to verify its admissibility or apply appropriate security restrictions. As a result, the file reaches the server bypassing normal security measures, which opens the door to further privilege escalation.

Impact

An attacker can upload malicious files (e.g., webshell) to the server and gain full control over its permissions, which in practice means the ability to execute arbitrary commands, steal data, and perform lateral movement within the network.

Mitigation & patch

Patches available from the vendor should be applied according to the references. It is also recommended to restrict network access to the application interface only to trusted IP addresses and to monitor file upload attempts on the server.

Who is affected

Weaver E-Cology — versions indicated in vendor references

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Weaver E Cology

    APP
    Weaver
    9.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Race Condition
CWE
References

Related vulnerabilities

CVE-2026-22679CRITICAL9.3PL ✓ten sam produkt

Nieuwierzytelniony RCE w Weaver E-Cology przez endpoint DubboAPI debug

CVE-2024-48072CRITICAL9.8PL ✓ten sam produkt

SQL Injection w Weaver E-Cology v9 — nieautoryzowany dostęp do bazy danych

CVE-2024-48070CRITICAL9.8PL ✓ten sam produkt

RCE w Weaver E-Cology — zdalne wykonanie kodu przez spreparowane żądanie

CVE-2023-51892CRITICAL9.8PL ✓ten sam produkt

RCE w Weaver E-Cology — wykonanie kodu przez FrameworkShellController

CVE-2025-34038HIGH8.7ten sam produkt

A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application dire...