CHT Security Discovered Several Vulnerabilities in Well-known Official Document System

CHT Security Red Team discovered an SQL Injection vulnerability (CVE-2021-22859) and a Broken Authentication vulnerability (CVE-2021-22860) in a well-known official document system. More than 20 organizations including government, education and financial sectors are affected. The vulnerabilities are briefly described as follows:


CVE-2021-22859: The SQL commands can be executed for any user accessing the page. This vulnerability affects many systems of government and company. This vulnerability is classified in A1 - Injection of OWASP TOP 10 2017.


CVE-2021-22860: It allows attackers to gain unauthorized data like user's account and password without authentication. This vulnerability affects many systems of government and company. This vulnerability is classified in A2-Broken Authentication of OWASP TOP 10 2017.


The vendor has released related patches after receiving our report. If your organization or enterprise is using the affected official document system, it is recommended to contact the vendor for patching and updating as soon as possible. 


CHT Security also recommends the following measures:

  1. Enterprise: Contact the vendor to install the patch as soon as possible. 
  2. System vendor: Implement input validation in the applications. It is recommended to adopt Secure Software Development Life Cycle (SSDLC), provide secure coding training, and regularly conduct security tests, such as Source Code Security Analysis and Penetration Testing, to effectively ensure product security for the clients.