CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Property Management System

Summary

Vulnerability List

[CVE-2021-22856] - SQL Injection

[CVE-2021-22857] - Directory Traversal

[CVE-2021-22858] - Broken Authentication and upload remote code execution

Details

1. SQL Injection

Description

There are several parameters that were affected by SQL Injection.

Impact

This vulnerability allows attackers to perform a SQL injection query string to bypass the login page and retrieve data from databases.

Known Affected Software

• version before the year 2021.

2. Directory Traversal

Description

There are several parameters that can be manipulated by attackers.

Impact

Attacker can download the files of the target machine for further analysis.

Known Affected Software

• version before the year 2021.

3. Broken Authentication and Upload Remote Code Execution (File Upload RCE) 

Description

There are several file upload fields that contain a vulnerability of misconfigured file upload filter. 

Impact

Attackers can upload unrestricted file that would allow attackers to gain access in the hosting machine.

Known Affected Software

• version before the year 2021.

Credits

Jalong Chen (CHT Security)