PT-2026-36125 · Fanwei · E-Cology
Published
2026-04-30
·
Updated
2026-04-30
·
CVE-2022-50992
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Weaver (Fanwei) E-cology versions 9.5 through 10.51
Description
The XmlRpcServlet interface at the XML-RPC endpoint contains a flaw allowing unauthenticated remote attackers to read arbitrary files. This is achieved by providing file paths to the
WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can use these methods to retrieve sensitive information, such as database credentials and system configuration files, from the server. Evidence of exploitation was first observed on 2022-12-14 (UTC).Recommendations
Update to version 10.52 or later.
As a temporary workaround, restrict access to the XML-RPC endpoint or disable the
WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods.Exploit
Fix
Path traversal
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
E-Cology