CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Human Resource Portal
Summary
Vulnerability List
[CVE-2021-22853] - Broken Access Control
[CVE-2021-22854] - SQL Injection
[CVE-2021-22855] - Insecure Deserialization
Details
1. Broken Access Control
Description
Attacker can use a crafted packet to access unauthorized sensitive data.
Impact
Attackers can dump sensitive data via a specific data packet, such as all users’ personal information in the same group, further causing the login function not to work.
Known Affected Software
- version before 7.3.2020.1110
2. SQL Injection
Description
There is a parameter affected by SQL Injection.
Impact
Attackers can inject SQL syntax and obtain all data in the database without privilege.
Known Affected Software
- version before 7.3.2020.1110
3. Insecure Deserialization
Description
The specific function accepts any type of object to be deserialized.
Impact
Attackers can send malicious serialized objects to execute arbitrary commands without privilege.
Known Affected Software
- version before 7.3.2020.1110
Credits
TsungShu Chiu (CHT Security)