CHT Security Red Team Discovered Vulnerability in Well-Known EDM System

Summary

Vulnerability List

[CVE-2022-32963] – Path Traversal

[CVE-2022-35216] – Path Traversal

[CVE-2022-32964] – SQL Injection

[CVE-2022-32965] – Use of Hard-coded Credentials

Details

1. Path Traversal

Description

There is a parameter affected by Path Traversal in specific function.

Impact

Attacker can download the files of the target machine for further analysis. 

Known Affected Software

• Version before 6.0

Credits

• Xin-Yue, Song (CHT Security)

2. Path Traversal

Description

There is a parameter affected by Path Traversal in specific function.

Impact

Attacker can download the files of the target machine for further analysis.

Known Affected Software

• Version before 6.0

Credits

• Xin-Yue, Song (CHT Security)

3. SQL Injection

Description

There are several parameters that were affected by SQL Injection.

Impact

This vulnerability allows attackers to perform unwanted SQL queries and access arbitrary file in the database.

Known Affected Software

• Version before 6.0

Credits

• Xin-Yue, Song (CHT Security)

4. Use of Hard-coded Credentials

Description

The server has a hard-coded machine key.

Impact

An unauthenticated remote attacker can use the machine key to send serialized payload to the server to execute arbitrary code, manipulate system data and disrupt service.

Known Affected Software

• Version before 6.0

Credits

Xin-Yue, Song (CHT Security)