CHT Security Red Team Discovered Several Vulnerabilities in Well-Known Portal System

Summary

Vulnerability List

1. [CVE-2021-22850] HGiga Portal Security Misconfiguration


2. [CVE-2021-22851] [CVE-2021-22852] HGiga Portal Pre-Auth SQL Injection -1


Details

1. HGiga Portal Security Misconfiguration

Description

HGiga Portal is vulnerable to a broken authentication vulnerability, which allows attackers to gain unauthorized functions and data without authentication. 

This vulnerability affects many portal systems of governments, organizations and companies.

Impact

Remote attackers can gain parts of privileged pages, which can lead to leakage of sensitive data.  

The confidentiality, integrity, and availability of data and system will be compromised.


2. HGiga Portal Pre-Auth SQL Injection

Description

HGiga Portal has a SQL injection vulnerability, allowing execution of arbitrary SQL commands via id parameter without authentication. 

This vulnerability affects many portal systems of governments, organizations and companies.

Impact

Remote attackers can gain unauthorized data like user's account and password for system login.

The confidentiality, integrity, and availability of data and system will be compromised.

Version

OAKSv20 OAKlouds-document_v3 2.0<2.0-54OAKSv30 OAKlouds-document_v3 3.0<3.0-54

Credits

* Tony Kuo (CHT Security), Jalong Chen (CHT Security)