CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Portal System

Summary

Vulnerability List

1. [CVE-2021-22850] Security Misconfiguration


2. [CVE-2021-22851] [CVE-2021-22852] Pre-Auth SQL Injection -1

 

Details

1. Security Misconfiguration

Description

The portal system is vulnerable to a broken authentication vulnerability, which allows attackers to gain unauthorized functions and data without authentication. This vulnerability affects many portal systems of governments, organizations, and companies.

Impact

Remote attackers can gain parts of privileged pages, which can lead to leakage of sensitive data. The confidentiality, integrity, and availability of data and system will be compromised.


2. Pre-Auth SQL Injection

Description

The portal system has a SQL injection vulnerability, allowing execution of arbitrary SQL commands via id parameter without authentication. 

This vulnerability affects many portal systems of governments, organizations, and companies.

Impact

Remote attackers can gain unauthorized data like user's account and password for system login.

The confidentiality, integrity, and availability of data and system will be compromised.

Version

v3 2.0<2.0-54 and v3 3.0<3.0-54

Credits

Tony Kuo (CHT Security), Jalong Chen (CHT Security)