CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Domestic Stock Selection System

The Vulnerability Report of Stock Selection System

Summary

Vulnerability List

1. [CVE-2020-3937] SQL Injection

2. [CVE-2020-3938] Server-Side Request Forgery

3. [CVE-2020-3939] Cross-Site Scripting (Reflected XSS)

Details

1. SQL Injection

Description

There are several parameters that were affected by SQL Injection. 

Impact

This vulnerability allows attackers to perform unwanted SQL queries and access arbitrary file in the database.

Known Affected Software

•    versions before 20191223

2. Server-Side Request Forgery

Description

There are several parameters that were affected by Server-Side Request Forgery.

Impact

This vulnerability allows attackers to launch inquiries into network architecture or system files of the server via forged inquests.

Known Affected Software

•    versions before 20191223

3. Cross-Site Scripting (Reflected XSS)

Description

There are several parameters that were affected by reflected XSS.

Impact

If an attacker can control a script that is executed in the victim's browser, personal information may be leaked to attackers via the vulnerability.

Known Affected Software

•    versions before 20191223

Credits

•    Jalong Chen (CHT Security)