Sun.netCVEs & Vulnerabilities

17 CVEs affecting Sun.net products, tracked from the National Vulnerability Database, with CVSS/EPSS scores and exploitation status.

Most Affected Products

ehrd ctms 14wmpro 4
CVE-2025-9570MEDIUM

The eHRD CTMS developed by Sunnet has an Arbitrary File Reading vulnerability, allowing remote attackers with administrator privileges to exploit Relative Path Traversal to download arbitrary system files.

1 Sep 2025
4.9
CVSS
CVE-2025-9569MEDIUM

The eHRD developed by Sunnet has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

1 Sep 2025
6.1
CVSS
CVE-2025-9568MEDIUM

The eHRD developed by Sunnet has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

1 Sep 2025
6.1
CVSS
CVE-2025-9567MEDIUM

The eHRD developed by Sunnet has a Reflected Cross-site Scripting vulnerability, allowing unauthenticated remote attackers to execute arbitrary JavaScript codes in user's browser through phishing attacks.

1 Sep 2025
6.1
CVSS
CVE-2025-54946CRITICAL

A SQL injection vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary SQL commands.

30 Aug 2025
9.8
CVSS
CVE-2025-54945CRITICAL

An external control of file name or path vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to execute arbitrary system commands via a malicious file by controlling the destination file path.

30 Aug 2025
9.8
CVSS
CVE-2025-54944CRITICAL

An unrestricted upload of file with dangerous type vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to write malicious code in a specific file, which may lead to arbitrary code execution.

30 Aug 2025
9.8
CVSS
CVE-2025-54943CRITICAL

A missing authorization vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to perform unauthorized application deployment due to the absence of proper access control checks.

30 Aug 2025
9.8
CVSS
CVE-2025-54942CRITICAL

A missing authentication for critical function vulnerability in SUNNET Corporate Training Management System before 10.11 allows remote attackers to access deployment functionality without prior authentication.

30 Aug 2025
9.8
CVSS
CVE-2025-3707MEDIUM

The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing remote attackers with regular privileges to inject arbitrary SQL command to read database contents.

2 May 2025
6.5
CVSS
CVE-2024-10440CRITICAL

The eHDR CTMS from Sunnet has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL command to read, modify, and delete database contents.

28 Oct 2024
9.8
CVSS
CVE-2024-10439HIGH

The eHRD CTMS from Sunnet has an Insecure Direct Object Reference (IDOR) vulnerability, allowing unauthenticated remote attackers to modify a specific parameter to access arbitrary files uploaded by any user.

28 Oct 2024
7.5
CVSS
CVE-2024-10438HIGH

The eHRD CTMS from Sunnet has an Authentication Bypass vulnerability, allowing unauthenticated remote attackers to bypass authentication by satisfying specific conditions in order to access certain functionalities.

28 Oct 2024
7.5
CVSS
CVE-2023-35851HIGH

SUNNET WMPro portal's FAQ function has insufficient validation for user input. An unauthenticated remote attacker can inject arbitrary SQL commands to obtain sensitive information via a database.

18 Sep 2023
7.5
CVSS
CVE-2023-35850HIGH

SUNNET WMPro portal's file management function has a vulnerability of insufficient filtering for user input. A remote attacker with administrator privilege or a privileged account can exploit this vulnerability to inject and execute arbitrary system commands to perform arbitrary system operations or disrupt service.

18 Sep 2023
7.2
CVSS
CVE-2023-24836HIGH

SUNNET CTMS has vulnerability of path traversal within its file uploading function. An authenticated remote attacker with general user privilege can exploit this vulnerability to upload and execute scripts onto arbitrary directories to perform arbitrary system operation or disrupt service.

27 Apr 2023
8.8
CVSS
CVE-2019-11062CRITICAL

The SUNNET WMPro v5.0 and v5.1 for eLearning system has OS Command Injection via "/teach/course/doajaxfileupload.php". The target server can be exploited without authentication.

11 Jul 2019
9.8
CVSS
← PrevPage 1 / 1Next →