CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Human Resource Portal

Summary

Vulnerability List

[CVE-2021-22853] - Broken Access Control

[CVE-2021-22854] - SQL Injection

[CVE-2021-22855] - Insecure Deserialization

Details

1. Broken Access Control

Description

Attacker can use a crafted packet to access unauthorized sensitive data.

Impact

Attackers can dump sensitive data via a specific data packet, such as all users’ personal information in the same group, further causing the login function not to work.

Known Affected Software

• version before 7.3.2020.1110

2. SQL Injection

Description

There is a parameter affected by SQL Injection.

Impact

Attackers can inject SQL syntax and obtain all data in the database without privilege.

Known Affected Software

• version before 7.3.2020.1110

3. Insecure Deserialization 

Description

The specific function accepts any type of object to be deserialized.

Impact

Attackers can send malicious serialized objects to execute arbitrary commands without privilege.

Known Affected Software

• version before 7.3.2020.1110

Credits

TsungShu Chiu (CHT Security)