CHT Security Red Team Discovered Vulnerability in Well-Known EDM System
Summary
Vulnerability List
[CVE-2022-32963] – Path Traversal
[CVE-2022-35216] – Path Traversal
[CVE-2022-32964] – SQL Injection
[CVE-2022-32965] – Use of Hard-coded Credentials
Details
1. Path Traversal
Description
There is a parameter affected by Path Traversal in specific function.
Impact
Attacker can download the files of the target machine for further analysis.
Known Affected Software
- Version before 6.0
Credits
- Xin-Yue, Song (CHT Security)
2. Path Traversal
Description
There is a parameter affected by Path Traversal in specific function.
Impact
Attacker can download the files of the target machine for further analysis.
Known Affected Software
- Version before 6.0
Credits
- Xin-Yue, Song (CHT Security)
3. SQL Injection
Description
There are several parameters that were affected by SQL Injection.
Impact
This vulnerability allows attackers to perform unwanted SQL queries and access arbitrary file in the database.
Known Affected Software
- Version before 6.0
Credits
- Xin-Yue, Song (CHT Security)
4. Use of Hard-coded Credentials
Description
The server has a hard-coded machine key.
Impact
An unauthenticated remote attacker can use the machine key to send serialized payload to the server to execute arbitrary code, manipulate system data and disrupt service.
Known Affected Software
- Version before 6.0
Credits
Xin-Yue, Song (CHT Security)