Search criteria
4 vulnerabilities by junhetec
CVE-2021-30173 (GCVE-0-2021-30173)
Vulnerability from cvelistv5 – Published: 2021-05-07 09:30 – Updated: 2024-09-17 00:45
VLAI?
Summary
Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file.
Severity ?
6.5 (Medium)
CWE
- CWE-36 - Absolute Path Traversal
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jun-He Technology Ltd. | Quan-Fang-Wei-Tong-Xun system |
Affected:
2007.2103
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.564Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4712-7ade4-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Quan-Fang-Wei-Tong-Xun system",
"vendor": "Jun-He Technology Ltd.",
"versions": [
{
"status": "affected",
"version": "2007.2103"
}
]
}
],
"datePublic": "2021-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-36",
"description": "CWE-36 Absolute Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T09:30:26",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4712-7ade4-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to 2007.2104"
}
],
"source": {
"advisory": "TVN-202104010",
"discovery": "EXTERNAL"
},
"title": "Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Local File Inclusion",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-05-07T09:17:00.000Z",
"ID": "CVE-2021-30173",
"STATE": "PUBLIC",
"TITLE": "Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Local File Inclusion"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quan-Fang-Wei-Tong-Xun system",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2007.2103"
}
]
}
}
]
},
"vendor_name": "Jun-He Technology Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Local File Inclusion vulnerability of the omni-directional communication system allows remote authenticated attacker inject absolute path into Url parameter and access arbitrary file."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-36 Absolute Path Traversal"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4712-7ade4-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4712-7ade4-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to 2007.2104"
}
],
"source": {
"advisory": "TVN-202104010",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-30173",
"datePublished": "2021-05-07T09:30:26.202808Z",
"dateReserved": "2021-04-06T00:00:00",
"dateUpdated": "2024-09-17T00:45:54.724Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30172 (GCVE-0-2021-30172)
Vulnerability from cvelistv5 – Published: 2021-05-07 09:30 – Updated: 2024-09-17 00:51
VLAI?
Summary
Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS (Cross-site scripting) attacks, additionally access and manipulate customer’s information.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jun-He Technology Ltd. | Quan-Fang-Wei-Tong-Xun system |
Affected:
2007.1901
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.751Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4711-04469-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "Quan-Fang-Wei-Tong-Xun system",
"vendor": "Jun-He Technology Ltd.",
"versions": [
{
"status": "affected",
"version": "2007.1901"
}
]
}
],
"datePublic": "2021-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users\u2019 input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS (Cross-site scripting) attacks, additionally access and manipulate customer\u2019s information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T09:30:25",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4711-04469-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update version to 2007.2103"
}
],
"source": {
"advisory": "TVN-202104008",
"discovery": "EXTERNAL"
},
"title": "Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-05-07T09:14:00.000Z",
"ID": "CVE-2021-30172",
"STATE": "PUBLIC",
"TITLE": "Jun-He Technology Ltd. Quan-Fang-Wei-Tong-Xun system - Reflected XSS"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "Quan-Fang-Wei-Tong-Xun system",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2007.1901"
}
]
}
}
]
},
"vendor_name": "Jun-He Technology Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Special characters of picture preview page in the Quan-Fang-Wei-Tong-Xun system are not filtered in users\u2019 input, which allow remote authenticated attackers can inject malicious JavaScript and carry out Reflected XSS (Cross-site scripting) attacks, additionally access and manipulate customer\u2019s information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4711-04469-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4711-04469-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update version to 2007.2103"
}
],
"source": {
"advisory": "TVN-202104008",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-30172",
"datePublished": "2021-05-07T09:30:25.577905Z",
"dateReserved": "2021-04-06T00:00:00",
"dateUpdated": "2024-09-17T00:51:32.182Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30171 (GCVE-0-2021-30171)
Vulnerability from cvelistv5 – Published: 2021-05-07 09:30 – Updated: 2024-09-17 01:35
VLAI?
Summary
Special characters of ERP POS news page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jun-He Technology Ltd. | ERP POS |
Affected:
2013.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.598Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ERP POS",
"vendor": "Jun-He Technology Ltd.",
"versions": [
{
"status": "affected",
"version": "2013.10"
}
]
}
],
"datePublic": "2021-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Special characters of ERP POS news page are not filtered in users\u2019 input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer\u2019s information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T09:30:24",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update ERP POS version to 2013.2101"
}
],
"source": {
"advisory": "TVN-202104007",
"discovery": "EXTERNAL"
},
"title": "Jun-He Technology Ltd. ERP POS - Stored XSS-2",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-05-07T09:05:00.000Z",
"ID": "CVE-2021-30171",
"STATE": "PUBLIC",
"TITLE": "Jun-He Technology Ltd. ERP POS - Stored XSS-2"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ERP POS",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2013.10"
}
]
}
}
]
},
"vendor_name": "Jun-He Technology Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Special characters of ERP POS news page are not filtered in users\u2019 input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer\u2019s information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update ERP POS version to 2013.2101"
}
],
"source": {
"advisory": "TVN-202104007",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-30171",
"datePublished": "2021-05-07T09:30:24.945633Z",
"dateReserved": "2021-04-06T00:00:00",
"dateUpdated": "2024-09-17T01:35:45.061Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2021-30170 (GCVE-0-2021-30170)
Vulnerability from cvelistv5 – Published: 2021-05-07 09:30 – Updated: 2024-09-16 23:21
VLAI?
Summary
Special characters of ERP POS customer profile page are not filtered in users’ input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer’s information.
Severity ?
4.6 (Medium)
CWE
- CWE-79 - Cross-site Scripting (XSS)
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Jun-He Technology Ltd. | ERP POS |
Affected:
2013.10
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T22:24:59.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "ERP POS",
"vendor": "Jun-He Technology Ltd.",
"versions": [
{
"status": "affected",
"version": "2013.10"
}
]
}
],
"datePublic": "2021-05-07T00:00:00",
"descriptions": [
{
"lang": "en",
"value": "Special characters of ERP POS customer profile page are not filtered in users\u2019 input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer\u2019s information."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Cross-site Scripting (XSS)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2021-05-07T09:30:24",
"orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"shortName": "twcert"
},
"references": [
{
"tags": [
"x_refsource_MISC"
],
"url": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html"
}
],
"solutions": [
{
"lang": "en",
"value": "Update ERP POS version to 2013.2101"
}
],
"source": {
"advisory": "TVN-202104006",
"discovery": "EXTERNAL"
},
"title": "Jun-He Technology Ltd. ERP POS - Stored XSS-1",
"x_generator": {
"engine": "Vulnogram 0.0.9"
},
"x_legacyV4Record": {
"CVE_data_meta": {
"AKA": "TWCERT/CC",
"ASSIGNER": "cve@cert.org.tw",
"DATE_PUBLIC": "2021-05-07T09:05:00.000Z",
"ID": "CVE-2021-30170",
"STATE": "PUBLIC",
"TITLE": "Jun-He Technology Ltd. ERP POS - Stored XSS-1"
},
"affects": {
"vendor": {
"vendor_data": [
{
"product": {
"product_data": [
{
"product_name": "ERP POS",
"version": {
"version_data": [
{
"version_affected": "=",
"version_value": "2013.10"
}
]
}
}
]
},
"vendor_name": "Jun-He Technology Ltd."
}
]
}
},
"data_format": "MITRE",
"data_type": "CVE",
"data_version": "4.0",
"description": {
"description_data": [
{
"lang": "eng",
"value": "Special characters of ERP POS customer profile page are not filtered in users\u2019 input, which allow remote authenticated attackers can inject malicious JavaScript and carry out stored XSS (Stored Cross-site scripting) attacks, additionally access and manipulate customer\u2019s information."
}
]
},
"generator": {
"engine": "Vulnogram 0.0.9"
},
"impact": {
"cvss": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.6,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
"problemtype": {
"problemtype_data": [
{
"description": [
{
"lang": "eng",
"value": "CWE-79 Cross-site Scripting (XSS)"
}
]
}
]
},
"references": {
"reference_data": [
{
"name": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html",
"refsource": "MISC",
"url": "https://www.twcert.org.tw/tw/cp-132-4707-9c87e-1.html"
}
]
},
"solution": [
{
"lang": "en",
"value": "Update ERP POS version to 2013.2101"
}
],
"source": {
"advisory": "TVN-202104006",
"discovery": "EXTERNAL"
}
}
}
},
"cveMetadata": {
"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
"assignerShortName": "twcert",
"cveId": "CVE-2021-30170",
"datePublished": "2021-05-07T09:30:24.312833Z",
"dateReserved": "2021-04-06T00:00:00",
"dateUpdated": "2024-09-16T23:21:33.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}