Kun Xian Lin

DreamMaker developed by Interinfo has a Path Traversal vulnerability, allowing unauthenticated remote attackers to read file names under arbitrary path by exploiting an Absolute Path Traversal vulnerability.

DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing privileged local attackers to exploit Relative Path Traversal to download arbitrary system files.

DreamMaker developed by Interinfo has an Arbitrary File Read vulnerability, allowing unauthenticated local attackers to exploit Relative Path Traversal to download arbitrary system files.

DreamMaker developed by Interinfo has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

**Name of the Vulnerable Software and Affected Versions** DreamMaker (affected versions not specified) **Description** An arbitrary file upload flaw allows unauthenticated remote attackers to upload and execute web shell backdoors, which enables arbitrary code execution on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Ragic Enterprise Cloud Database (affected versions not specified) **Description** The Enterprise Cloud Database developed by Ragic has an Arbitrary File Upload issue. This allows remote attackers with specific privileges to upload and execute web shell backdoors, leading to arbitrary code execution on the server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** ANCHOR from Global Wisdom Software (affected versions not specified) **Description** The underlying Windows OS of the ANCHOR product contains high-privilege service accounts. If these accounts use default passwords, attackers could remotely log in to the virtual machine using the default credentials. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TRCore's DVC (affected versions not specified) **Description** The issue concerns a Path Traversal vulnerability in TRCore's DVC, which does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TRCore's DVC (affected versions not specified) **Description** The issue concerns a Path Traversal vulnerability in TRCore's DVC, which does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TRCore DVC versions up to 6.3 **Description** The issue allows unauthenticated remote attackers to exploit a Path Traversal vulnerability, enabling them to read arbitrary system files. This can lead to unauthorized file access. **Recommendations** For versions up to 6.3, patch immediately and review file permissions to mitigate the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** DVC from TRCore (affected versions not specified) **Description** The issue allows unauthenticated remote attackers to exploit a Path Traversal vulnerability, enabling them to read arbitrary system files. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TRCore DVC (affected versions not specified) **Description** The issue concerns a Path Traversal vulnerability in the DVC from TRCore, which also fails to restrict the types of files that can be uploaded. This vulnerability allows unauthenticated remote attackers to upload arbitrary files to any directory. As a result, attackers can achieve arbitrary code execution by uploading webshells. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DVC from TRCore (affected versions not specified) **Description** The issue concerns a Path Traversal vulnerability in the DVC from TRCore, which does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** TRCore DVC versions up to 6.3 **Description** The DVC from TRCore has a Path Traversal vulnerability and does not restrict the types of uploaded files. This allows unauthenticated remote attackers to upload arbitrary files to any directory, leading to arbitrary code execution by uploading webshells. **Recommendations** For TRCore DVC versions up to 6.3, patch systems immediately to prevent unauthorized access. As a temporary workaround, consider restricting the types of uploaded files and limiting access to sensitive directories until a patch is available. Prioritize a thorough security audit to identify any additional risks and review logs for signs of compromise.

**Name of the Vulnerable Software and Affected Versions** Enterprise Cloud Database from Ragic (affected versions not specified) **Description** The issue is related to the improper validation of file types for uploads in the Enterprise Cloud Database from Ragic. Attackers with regular privileges can exploit this by uploading a webshell, which allows them to execute arbitrary code on the remote server. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: Ragic Enterprise Cloud Database (affected versions not specified) Description: The issue is related to a lack of authentication for a critical function in the Ragic Enterprise Cloud Database, allowing unauthenticated remote attackers to obtain any user's session cookie. This could potentially lead to unauthorized access to sensitive data. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Hgiga OAKlouds (affected versions not specified) **Description** The issue affects Hgiga OAKlouds, allowing unauthenticated remote attackers to download arbitrary system files, which may then be deleted. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Name of the Vulnerable Software and Affected Versions: OMFLOW from The SYSCOM Group (affected versions not specified) Description: The issue involves the exposure of sensitive data, allowing remote attackers who have logged into the system to obtain password hashes of all users and administrators. Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmartStar Software CWS (affected versions not specified) **Description** The issue concerns the file uploading function of SmartStar Software CWS, a web-based integration platform, which does not restrict the upload of files with dangerous types. This allows an unauthenticated remote attacker to upload arbitrary files, potentially leading to the execution of arbitrary commands or disruption of service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** SmartStar Software CWS (affected versions not specified) **Description** The issue is related to missing authorization in the SmartStar Software CWS web-based integration platform. This allows users to access data or perform actions that they should not be allowed to, via commands. An authenticated user with normal privileges can execute administrator privileges, resulting in the ability to perform arbitrary system operations or disrupt the service. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.