Search criteria
9 vulnerabilities found for hr_portal by hr_portal_project
FKIE_CVE-2021-22853
Vulnerability from fkie_nvd - Published: 2021-02-17 14:15 - Updated: 2024-11-21 05:50
Severity ?
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
5.4 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L
Summary
The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work.
References
| URL | Tags | ||
|---|---|---|---|
| twcert@cert.org.tw | https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e | Third Party Advisory | |
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hr_portal_project | hr_portal | 7.3.2020.1013 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:*:*:*:*:*:*:*",
"matchCriteriaId": "CC7A24E7-A9EE-4C23-AFD7-8CB76F13A56E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
},
{
"lang": "es",
"value": "El HR Portal de Soar Cloud System presenta un fallo al manejar el control de acceso. Mientras obtienen el ID del usuario, los atacantes remotos pueden acceder a datos confidenciales por medio de un paquete de datos espec\u00edfico, tal y como la informaci\u00f3n de inicio de sesi\u00f3n del usuario, causando que la funci\u00f3n de inicio de sesi\u00f3n no funcione"
}
],
"id": "CVE-2021-22853",
"lastModified": "2024-11-21T05:50:46.080",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "SINGLE",
"availabilityImpact": "PARTIAL",
"baseScore": 5.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P",
"version": "2.0"
},
"exploitabilityScore": 8.0,
"impactScore": 4.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "twcert@cert.org.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
},
"exploitabilityScore": 2.8,
"impactScore": 2.5,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-17T14:15:19.153",
"references": [
{
"source": "twcert@cert.org.tw",
"tags": [
"Third Party Advisory"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
},
{
"source": "twcert@cert.org.tw",
"tags": [
"Third Party Advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
}
],
"sourceIdentifier": "twcert@cert.org.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
}
],
"source": "twcert@cert.org.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "NVD-CWE-Other"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-22854
Vulnerability from fkie_nvd - Published: 2021-02-17 14:15 - Updated: 2024-11-21 05:50
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege.
References
| URL | Tags | ||
|---|---|---|---|
| twcert@cert.org.tw | https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e | Third Party Advisory | |
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hr_portal_project | hr_portal | 7.3.2020.1013 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:*:*:*:*:*:*:*",
"matchCriteriaId": "CC7A24E7-A9EE-4C23-AFD7-8CB76F13A56E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
},
{
"lang": "es",
"value": "El HR Portal de Soar Cloud System presenta un fallo al filtrar par\u00e1metros espec\u00edficos.\u0026#xa0;Los atacantes remotos pueden inyectar sintaxis SQL y obtener todos los datos de la base de datos sin privilegios"
}
],
"id": "CVE-2021-22854",
"lastModified": "2024-11-21T05:50:46.213",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "MEDIUM",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "NONE",
"baseScore": 5.0,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "NONE",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 2.9,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "twcert@cert.org.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-17T14:15:19.263",
"references": [
{
"source": "twcert@cert.org.tw",
"tags": [
"Third Party Advisory"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
},
{
"source": "twcert@cert.org.tw",
"tags": [
"Third Party Advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
}
],
"sourceIdentifier": "twcert@cert.org.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "twcert@cert.org.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-89"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
FKIE_CVE-2021-22855
Vulnerability from fkie_nvd - Published: 2021-02-17 14:15 - Updated: 2024-11-21 05:50
Severity ?
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
References
| URL | Tags | ||
|---|---|---|---|
| twcert@cert.org.tw | https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e | Third Party Advisory | |
| twcert@cert.org.tw | https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e | Third Party Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html | Third Party Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| hr_portal_project | hr_portal | 7.3.2020.1013 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:*:*:*:*:*:*:*",
"matchCriteriaId": "CC7A24E7-A9EE-4C23-AFD7-8CB76F13A56E",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
},
{
"lang": "es",
"value": "La funci\u00f3n espec\u00edfica de HR Portal de Soar Cloud System acepta cualquier tipo de objeto para ser deserializado.\u0026#xa0;Los atacantes pueden enviar objetos serializados maliciosos para ejecutar comandos arbitrarios"
}
],
"id": "CVE-2021-22855",
"lastModified": "2024-11-21T05:50:46.340",
"metrics": {
"cvssMetricV2": [
{
"acInsufInfo": false,
"baseSeverity": "HIGH",
"cvssData": {
"accessComplexity": "LOW",
"accessVector": "NETWORK",
"authentication": "NONE",
"availabilityImpact": "PARTIAL",
"baseScore": 7.5,
"confidentialityImpact": "PARTIAL",
"integrityImpact": "PARTIAL",
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"version": "2.0"
},
"exploitabilityScore": 10.0,
"impactScore": 6.4,
"obtainAllPrivilege": false,
"obtainOtherPrivilege": false,
"obtainUserPrivilege": false,
"source": "nvd@nist.gov",
"type": "Primary",
"userInteractionRequired": false
}
],
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "twcert@cert.org.tw",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2021-02-17T14:15:19.327",
"references": [
{
"source": "twcert@cert.org.tw",
"tags": [
"Third Party Advisory"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
},
{
"source": "twcert@cert.org.tw",
"tags": [
"Third Party Advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Third Party Advisory"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
}
],
"sourceIdentifier": "twcert@cert.org.tw",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "twcert@cert.org.tw",
"type": "Secondary"
},
{
"description": [
{
"lang": "en",
"value": "CWE-502"
}
],
"source": "nvd@nist.gov",
"type": "Primary"
}
]
}
CVE-2021-22855 (GCVE-0-2021-22855)
Vulnerability from cvelistv5 – Published: 2021-02-17 13:30 – Updated: 2024-09-16 20:52
VLAI?
Title
Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution
Summary
The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Soar Cloud System Co., Ltd. | HR Portal |
Affected:
0 7.3.2020.1013
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HR Portal",
"vendor": "Soar Cloud System Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "0 7.3.2020.1013"
}
]
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T18:37:04",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101009",
"discovery": "EXTERNAL"
},
"title": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
"ID": "CVE-2021-22855",
"STATE": "PUBLIC",
"TITLE": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HR Portal",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0",
"version_value": "7.3.2020.1013"
}
]
}
}
]
},
"vendor_name": "Soar Cloud System Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101009",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-22855",
"datePublished": "2021-02-17T13:30:20.743977Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T20:52:52.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22854 (GCVE-0-2021-22854)
Vulnerability from cvelistv5 – Published: 2021-02-17 13:30 – Updated: 2024-09-16 22:56
VLAI?
Title
Soar Cloud System Co., Ltd. HR Portal - SQL Injection
Summary
The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege.
Severity ?
7.5 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Soar Cloud System Co., Ltd. | HR Portal |
Affected:
0 7.3.2020.1013
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HR Portal",
"vendor": "Soar Cloud System Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "0 7.3.2020.1013"
}
]
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T18:36:53",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101008",
"discovery": "EXTERNAL"
},
"title": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
"ID": "CVE-2021-22854",
"STATE": "PUBLIC",
"TITLE": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HR Portal",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0",
"version_value": "7.3.2020.1013"
}
]
}
}
]
},
"vendor_name": "Soar Cloud System Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101008",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-22854",
"datePublished": "2021-02-17T13:30:20.119423Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T22:56:59.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22853 (GCVE-0-2021-22853)
Vulnerability from cvelistv5 – Published: 2021-02-17 13:30 – Updated: 2024-09-17 04:04
VLAI?
Title
Soar Cloud System Co., Ltd. HR Portal - Broken Access Control
Summary
The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work.
Severity ?
5.4 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Soar Cloud System Co., Ltd. | HR Portal |
Affected:
0 7.3.2020.1013
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HR Portal",
"vendor": "Soar Cloud System Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "0 7.3.2020.1013"
}
]
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T18:36:38",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101007",
"discovery": "EXTERNAL"
},
"title": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
"ID": "CVE-2021-22853",
"STATE": "PUBLIC",
"TITLE": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HR Portal",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0",
"version_value": "7.3.2020.1013"
}
]
}
}
]
},
"vendor_name": "Soar Cloud System Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101007",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-22853",
"datePublished": "2021-02-17T13:30:19.537050Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T04:04:36.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22855 (GCVE-0-2021-22855)
Vulnerability from nvd – Published: 2021-02-17 13:30 – Updated: 2024-09-16 20:52
VLAI?
Title
Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution
Summary
The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands.
Severity ?
9.8 (Critical)
CWE
- CWE-502 - Deserialization of Untrusted Data
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Soar Cloud System Co., Ltd. | HR Portal |
Affected:
0 7.3.2020.1013
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.567Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HR Portal",
"vendor": "Soar Cloud System Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "0 7.3.2020.1013"
}
]
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T18:37:04",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101009",
"discovery": "EXTERNAL"
},
"title": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
"ID": "CVE-2021-22855",
"STATE": "PUBLIC",
"TITLE": "Soar Cloud System Co., Ltd. HR Portal - Arbitrary Code Execution"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HR Portal",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0",
"version_value": "7.3.2020.1013"
}
]
}
}
]
},
"vendor_name": "Soar Cloud System Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The specific function of HR Portal of Soar Cloud System accepts any type of object to be deserialized. Attackers can send malicious serialized objects to execute arbitrary commands."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-502 Deserialization of Untrusted Data"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4405-2ddde-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101009",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-22855",
"datePublished": "2021-02-17T13:30:20.743977Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T20:52:52.968Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22854 (GCVE-0-2021-22854)
Vulnerability from nvd – Published: 2021-02-17 13:30 – Updated: 2024-09-16 22:56
VLAI?
Title
Soar Cloud System Co., Ltd. HR Portal - SQL Injection
Summary
The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege.
Severity ?
7.5 (High)
CWE
- CWE-89 - SQL Injection
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Soar Cloud System Co., Ltd. | HR Portal |
Affected:
0 7.3.2020.1013
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.628Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HR Portal",
"vendor": "Soar Cloud System Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "0 7.3.2020.1013"
}
]
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 SQL Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T18:36:53",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101008",
"discovery": "EXTERNAL"
},
"title": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
"ID": "CVE-2021-22854",
"STATE": "PUBLIC",
"TITLE": "Soar Cloud System Co., Ltd. HR Portal - SQL Injection"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HR Portal",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0",
"version_value": "7.3.2020.1013"
}
]
}
}
]
},
"vendor_name": "Soar Cloud System Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HR Portal of Soar Cloud System fails to filter specific parameters. Remote attackers can inject SQL syntax and obtain all data in the database without privilege."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-89 SQL Injection"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4404-3f498-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101008",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-22854",
"datePublished": "2021-02-17T13:30:20.119423Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-16T22:56:59.729Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-22853 (GCVE-0-2021-22853)
Vulnerability from nvd – Published: 2021-02-17 13:30 – Updated: 2024-09-17 04:04
VLAI?
Title
Soar Cloud System Co., Ltd. HR Portal - Broken Access Control
Summary
The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work.
Severity ?
5.4 (Medium)
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Soar Cloud System Co., Ltd. | HR Portal |
Affected:
0 7.3.2020.1013
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T18:51:07.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "HR Portal",
"vendor": "Soar Cloud System Co., Ltd.",
"versions": [
{
"status": "affected",
"version": "0 7.3.2020.1013"
}
]
}
],
"datePublic": "2021-02-17T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284 Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-02-19T18:36:38",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
],
"solutions": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101007",
"discovery": "EXTERNAL"
},
"title": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-02-17T13:19:00.000Z",
"ID": "CVE-2021-22853",
"STATE": "PUBLIC",
"TITLE": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "HR Portal",
"version": {
"version_data": [
{
"version_affected": "=",
"version_name": "0",
"version_value": "7.3.2020.1013"
}
]
}
}
]
},
"vendor_name": "Soar Cloud System Co., Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-284 Improper Access Control"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"
},
{
"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e",
"refsource": "CONFIRM",
"url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update to version 7.3.2020.1110"
}
],
"source": {
"advisory": "TVN-202101007",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-22853",
"datePublished": "2021-02-17T13:30:19.537050Z",
"dateReserved": "2021-01-06T00:00:00",
"dateUpdated": "2024-09-17T04:04:36.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}