CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Domestic Learning System
- [CVE-2021-35963] Orca HCM - Unrestricted Upload of File with Dangerous Type
- [CVE-2021-35964] Orca HCM - Broken Authentication
- [CVE-2021-35965] Orca HCM - Hard-coded password
1. Orca HCM - Unrestricted Upload of File with Dangerous Type
The specific parameters of the upload function of the digital learning platform do not properly filter file format, so that remote attackers do not need to login, and can upload files with malicious script content for remote execution code (RCE) attacks.
Attackers can upload unrestricted files that would allow attackers to gain access in the hosting machine.
2. Orca HCM - Broken Authentication
Attackers can use a specific URL to access unauthorized functionality and data.
Remote attackers can use some of the management functions, view member information, and modify or delete courses.
3. Orca HCM - Hard-coded password
The digital learning platform contains a default administrator password, which is hard-coded in the config file that can be accessed with specific URL.
Remote attackers can obtain administrator password for further attack.
Orca HCM v10.0
* Jalong Chen (CHT Security)