Ragic Enterprise Cloud Database Patches Multi Flaws, Including CVE-2024-9984 (CVSS 9.8)

by do son · October 16, 2024

Ragic Enterprise Cloud Database - CVE-2024-9983 - CVE-2024-9984 - CVE-2024-9985

Taiwan’s Computer Emergency Response Team (TWCERT/CC) has issued a warning regarding multiple vulnerabilities discovered in the Ragic Enterprise Cloud Database, a popular no-code platform for building custom business applications.

These vulnerabilities, reported by the DEVCORE Red Team, are identified as CVE-2024-9983, CVE-2024-9984, and CVE-2024-9985, each carrying a different level of risk but all posing significant threats if left unpatched. They affect versions of the Ragic Enterprise Cloud Database prior to the update released on August 8, 2024.

Vulnerability Breakdown:

CVE-2024-9983 (CVSS 7.5): Arbitrary File Read via Path Traversal: This flaw allows unauthenticated attackers to exploit a vulnerability in a specific page parameter to read arbitrary system files, potentially exposing sensitive information.
CVE-2024-9984 (CVSS 9.8): Missing Authentication for Critical Functionality: A critical vulnerability allows unauthenticated remote attackers to exploit missing authentication checks and obtain any user’s session cookie. This could lead to complete account takeover and compromise of sensitive data.
CVE-2024-9985 (CVSS 8.8): Arbitrary File Upload: This vulnerability enables attackers with regular user privileges to upload malicious files, such as webshells, to the server. This could allow them to execute arbitrary code and gain complete control of the system.

Impact and Remediation:

These vulnerabilities pose a significant risk to organizations using Ragic Enterprise Cloud Database. Successful exploitation could lead to:

Data breaches: Sensitive business data could be stolen or manipulated.
System compromise: Attackers could gain full control of the database server and connected systems.
Disruption of operations: Critical business processes relying on the database could be disrupted.

Ragic has addressed these vulnerabilities in a security update released on August 8, 2024. TWCERT/CC strongly urges all users of Ragic Enterprise Cloud Database to update their systems to version 2024/08/08 09:45:25 or later immediately.