2021-02-01 02:47
CVE-2021-22860
EXCELLENT INFOTEK BiYan Broken Authentication
Current Description
EXCELLENT INFOTEK BiYan v2.9~v3.0 is vulnerable to a broken authentication vulnerability, which allows attackers to gain unauthorized data like user's account and password without authentication.
This vulnerability affects many mail system of governments, organizations and companies.
Details
The injection point is "query_person_by_order.aspx".
It allows remote attackers to gain unauthorized data like user's account and password via paramemer without authentication.
Description
Remote attackers can gain unauthorized data like user's account and password. When accessing a victim's account, remote attackers can modifiy the password. It compromised the confidentiality, integrity and availability of data and system.
Affected files
http://`[Target Domain]`/kw/auth/security/tree/asp/query_person_by_order.aspx
Contributor
- Tony Kuo (CHT Security)