CVE-2021-22860

EXCELLENT INFOTEK BiYan Broken Authentication


Current Description

EXCELLENT INFOTEK BiYan v2.9~v3.0 is vulnerable to a broken authentication vulnerability, which allows attackers to gain unauthorized data like user's account and password without authentication. 

This vulnerability affects many mail system of governments, organizations and companies.


Details

The injection point is "query_person_by_order.aspx".


It allows remote attackers to gain unauthorized data like user's account and password via paramemer without authentication.


Description

Remote attackers can gain unauthorized data like user's account and password. When accessing a victim's account, remote attackers can modifiy the password. It compromised the confidentiality, integrity and availability of data and system.


Affected files

http://`[Target Domain]`/kw/auth/security/tree/asp/query_person_by_order.aspx


Contributor

  • Tony Kuo (CHT Security)