CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Domestic Learning System

Summary

Vulnerability List

1. [CVE-2020-10508] Sensitive Data Exposure

2. [CVE-2020-10509] Cross-Site Scripting (Reflected XSS)

3. [CVE-2020-10510] Broken Access Control

Details

1. Sensitive Data Exposure

Description

Improperly stores system files. Attackers can use a specific URL and capture confidential information.

Impact

The leaked personal information and login accounts of the system can be taken for further attack.

Known Affected Software

  • version 8 and version 9.

2. Cross-Site Scripting (Reflected XSS)

Description

There are several parameters that were affected by reflected XSS.

Impact

If an attacker can control a script that is executed in the victim's browser, personal information may be leaked to attackers via the vulnerability.

Known Affected Software

  • version 8 and version 9.

3. Broken Access Control

Description

After login, attackers can use a specific URL, access unauthorized functionality and data.

Impact

Attackers can conduct vertical privilege escalation via unauthorized page access.

Known Affected Software

  • version 8 and version 9.

Credits

  • Jalong Chen (CHT Security)