Primary

Context

Digiwin ERP Unrestricted File Upload Vulnerability in UploadAjaxAPI.ashx

Vulnerability

A critical vulnerability allowing unrestricted file uploads has been identified in Digiwin ERP version 5.0.1. The issue arises in the file '/Api/TinyMce/UploadAjaxAPI.ashx', where manipulation of the 'File' argument enables unauthorized file uploads. This vulnerability can be exploited remotely.

Impact

Exploitation of this vulnerability allows for unrestricted file uploads, which could lead to various security issues depending on the nature of the uploaded files.

Reproduction

To reproduce this vulnerability, send a request to the '/Api/TinyMce/UploadAjaxAPI.ashx' endpoint with a manipulated 'File' argument that includes the desired file for upload. The absence of proper validation on the file upload process allows for unrestricted file types and sizes to be uploaded.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.0

exploitability

6.6

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Digiwin ERP Unrestricted File Upload Vulnerability in UploadAjaxAPI.ashx

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating