A vulnerability was found in Weaver E-cology allows attackers use race conditions to bypass security mechanisms to upload malicious files and control server privileges
The vulnerability (CWE-362) consists of a time-of-check-time-of-use race condition in the access control mechanism during file upload. An attacker can win this race and upload a malicious file before the system has time to verify its admissibility or apply appropriate security restrictions. As a result, the file reaches the server bypassing normal security measures, which opens the door to further privilege escalation.
An attacker can upload malicious files (e.g., webshell) to the server and gain full control over its permissions, which in practice means the ability to execute arbitrary commands, steal data, and perform lateral movement within the network.
Patches available from the vendor should be applied according to the references. It is also recommended to restrict network access to the application interface only to trusted IP addresses and to monitor file upload attempts on the server.
Weaver E-Cology — versions indicated in vendor references
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HWeaver E Cology
APPWeaver9.0
Related vulnerabilities
Nieuwierzytelniony RCE w Weaver E-Cology przez endpoint DubboAPI debug
SQL Injection w Weaver E-Cology v9 — nieautoryzowany dostęp do bazy danych
RCE w Weaver E-Cology — zdalne wykonanie kodu przez spreparowane żądanie
RCE w Weaver E-Cology — wykonanie kodu przez FrameworkShellController
A SQL injection vulnerability exists in Weaver E-cology 8.0 via the getdata.jsp endpoint. The application dire...