MidnightBSD

Advisories for wellchoose

CVE-2024-10200

Administrative Management System from Wellchoose has a Path Traversal vulnerability, allowing unauthenticated remote attackers to exploit this vulnerability to download arbitrary files on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
wellchoose administrative_management_system -
CVE-2024-10201

Administrative Management System from Wellchoose does not properly validate uploaded file types, allowing remote attackers with regular privileges to upload and execute webshells.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
wellchoose administrative_management_system -
CVE-2024-10202

Administrative Management System from Wellchoose has an OS Command Injection vulnerability, allowing remote attackers with regular privileges to inject and execute arbitrary OS commands.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
wellchoose administrative_management_system -
CVE-2025-8909

Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing remote attackers with regular privileges to exploit Absolute Path Traversal to download arbitrary system files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2025-8910

Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2025-8911

Organization Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2025-8912

Organization Portal System developed by WellChoose has an Arbitrary File Reading vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2025-8913

Organization Portal System developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2025-8914

Organization Portal System developed by WellChoose has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 6.5 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 2.8 3.6
nvd@nist.gov 7.5 HIGH CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N 3.9 3.6

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2026-1427

Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
wellchoose single_sign-on_portal_system *
CVE-2026-1428

Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 8.8 HIGH CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H 2.8 5.9

Products Affected

Vendor Product Version
wellchoose single_sign-on_portal_system *
CVE-2026-1429

Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 5.4 MEDIUM CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N 2.3 2.7

Products Affected

Vendor Product Version
wellchoose single_sign-on_portal_system *
CVE-2026-3824

IFTOP developed by WellChoose has an Open redirect vulnerability, allowing authenticated remote attackers to craft a URL that tricks users into visiting malicious website.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2026-3825

IFTOP developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 6.1 MEDIUM CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N 2.8 2.7

Products Affected

Vendor Product Version
wellchoose organization_portal_system *
CVE-2026-3826

IFTOP developed by WellChoose has a Local File Inclusion vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server.

CVSS 3.x

Source Score Severity Vector Exploitability Impact
twcert@cert.org.tw 9.8 CRITICAL CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H 3.9 5.9

Products Affected

Vendor Product Version
wellchoose organization_portal_system *