CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Property Management System
Summary
Vulnerability List
[CVE-2021-22856] - SQL Injection
[CVE-2021-22857] - Directory Traversal
[CVE-2021-22858] - Broken Authentication and upload remote code execution
Details
1. SQL Injection
Description
There are several parameters that were affected by SQL Injection.
Impact
This vulnerability allows attackers to perform a SQL injection query string to bypass the login page and retrieve data from databases.
Known Affected Software
- version before the year 2021.
2. Directory Traversal
Description
There are several parameters that can be manipulated by attackers.
Impact
Attacker can download the files of the target machine for further analysis.
Known Affected Software
- version before the year 2021.
3. Broken Authentication and Upload Remote Code Execution (File Upload RCE)
Description
There are several file upload fields that contain a vulnerability of misconfigured file upload filter.
Impact
Attackers can upload unrestricted file that would allow attackers to gain access in the hosting machine.
Known Affected Software
- version before the year 2021.
Credits
Jalong Chen (CHT Security)