Vulnerability-Lookup

CNVD-2021-101182

Vulnerability from cnvd - Published: 2021-12-21

Title

ShinHer StudyOnline System授权问题漏洞（CNVD-2021-101182）

Description

ShinHer StudyOnline System是中国欣河（ShinHer）公司的一种校务系统。 ShinHer StudyOnline System存在授权问题漏洞，该漏洞源于ShinHer StudyOnline系统的教师编辑功能不进行权限控制。攻击者可利用该漏洞使用用户权限登录后，可以通过设置URL参数访问和编辑其他用户的凭证和个人信息。

Severity

中

Patch Name

ShinHer StudyOnline System授权问题漏洞（CNVD-2021-101182）的补丁

Patch Description

Formal description

目前厂商已发布升级补丁以修复漏洞，详情请关注厂商主页： https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html

Reference

https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html

Impacted products

Name
ShinHer StudyOnline System v2021

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2021-42330"
    }
  },
  "description": "ShinHer StudyOnline System\u662f\u4e2d\u56fd\u6b23\u6cb3\uff08ShinHer\uff09\u516c\u53f8\u7684\u4e00\u79cd\u6821\u52a1\u7cfb\u7edf\u3002\n\nShinHer StudyOnline System\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShinHer StudyOnline\u7cfb\u7edf\u7684\u6559\u5e08\u7f16\u8f91\u529f\u80fd\u4e0d\u8fdb\u884c\u6743\u9650\u63a7\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7528\u6237\u6743\u9650\u767b\u5f55\u540e\uff0c\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6eURL\u53c2\u6570\u8bbf\u95ee\u548c\u7f16\u8f91\u5176\u4ed6\u7528\u6237\u7684\u51ed\u8bc1\u548c\u4e2a\u4eba\u4fe1\u606f\u3002",
  "formalWay": "\u76ee\u524d\u5382\u5546\u5df2\u53d1\u5e03\u5347\u7ea7\u8865\u4e01\u4ee5\u4fee\u590d\u6f0f\u6d1e\uff0c\u8be6\u60c5\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\uff1a\r\nhttps://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2021-101182",
  "openTime": "2021-12-21",
  "patchDescription": "ShinHer StudyOnline System\u662f\u4e2d\u56fd\u6b23\u6cb3\uff08ShinHer\uff09\u516c\u53f8\u7684\u4e00\u79cd\u6821\u52a1\u7cfb\u7edf\u3002\r\n\r\nShinHer StudyOnline System\u5b58\u5728\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8eShinHer StudyOnline\u7cfb\u7edf\u7684\u6559\u5e08\u7f16\u8f91\u529f\u80fd\u4e0d\u8fdb\u884c\u6743\u9650\u63a7\u5236\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u4f7f\u7528\u7528\u6237\u6743\u9650\u767b\u5f55\u540e\uff0c\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6eURL\u53c2\u6570\u8bbf\u95ee\u548c\u7f16\u8f91\u5176\u4ed6\u7528\u6237\u7684\u51ed\u8bc1\u548c\u4e2a\u4eba\u4fe1\u606f\u3002 \u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "ShinHer StudyOnline System\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-101182\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "ShinHer StudyOnline System v2021"
  },
  "referenceLink": "https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html",
  "serverity": "\u4e2d",
  "submitTime": "2021-10-19",
  "title": "ShinHer StudyOnline System\u6388\u6743\u95ee\u9898\u6f0f\u6d1e\uff08CNVD-2021-101182\uff09"
}

CVE-2021-42330 (GCVE-0-2021-42330)

Vulnerability from cvelistv5 – Published: 2021-10-15 12:10 – Updated: 2024-09-16 16:38

Title

ShinHer Information Co., LTD. ShinHer StudyOnline System - Improper Authorization-1

Summary

The “Teacher Edit” function of ShinHer StudyOnline System does not perform authority control. After logging in with user’s privilege, remote attackers can access and edit other users’ credential and personal information by crafting URL parameters.

Severity ?

8.8 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE

CWE-285 - Improper Authorization

Assigner

twcert

References

URL

Tags

https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html

x_refsource_MISC

Impacted products

	Vendor	Product	Version
	ShinHer Information Co., LTD.	ShinHer StudyOnline System	Affected: unspecified , ≤ 2021 (custom)

Date Public ?

2021-10-15 00:00

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-04T03:30:38.279Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_MISC",
              "x_transferred"
            ],
            "url": "https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "ShinHer StudyOnline System",
          "vendor": "ShinHer Information Co., LTD.",
          "versions": [
            {
              "lessThanOrEqual": "2021",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "datePublic": "2021-10-15T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "The \u201cTeacher Edit\u201d function of ShinHer StudyOnline System does not perform authority control. After logging in with user\u2019s privilege, remote attackers can access and edit other users\u2019 credential and personal information by crafting URL parameters."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285 Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2021-10-15T12:10:31.000Z",
        "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
        "shortName": "twcert"
      },
      "references": [
        {
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Update ShinHer StudyOnline System to version v2021.08.20.01"
        }
      ],
      "source": {
        "advisory": "TVN-202110002",
        "discovery": "EXTERNAL"
      },
      "title": "ShinHer Information Co., LTD. ShinHer StudyOnline System - Improper Authorization-1",
      "x_generator": {
        "engine": "Vulnogram 0.0.9"
      },
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "AKA": "TWCERT/CC",
          "ASSIGNER": "cve@cert.org.tw",
          "DATE_PUBLIC": "2021-10-15T11:38:00.000Z",
          "ID": "CVE-2021-42330",
          "STATE": "PUBLIC",
          "TITLE": "ShinHer Information Co., LTD. ShinHer StudyOnline System - Improper Authorization-1"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "ShinHer StudyOnline System",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "2021"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "ShinHer Information Co., LTD."
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The \u201cTeacher Edit\u201d function of ShinHer StudyOnline System does not perform authority control. After logging in with user\u2019s privilege, remote attackers can access and edit other users\u2019 credential and personal information by crafting URL parameters."
            }
          ]
        },
        "generator": {
          "engine": "Vulnogram 0.0.9"
        },
        "impact": {
          "cvss": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 8.8,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-285 Improper Authorization"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html",
              "refsource": "MISC",
              "url": "https://www.twcert.org.tw/tw/cp-132-5200-3d3ca-1.html"
            }
          ]
        },
        "solution": [
          {
            "lang": "en",
            "value": "Update ShinHer StudyOnline System to version v2021.08.20.01"
          }
        ],
        "source": {
          "advisory": "TVN-202110002",
          "discovery": "EXTERNAL"
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e",
    "assignerShortName": "twcert",
    "cveId": "CVE-2021-42330",
    "datePublished": "2021-10-15T12:10:31.314Z",
    "dateReserved": "2021-10-12T00:00:00.000Z",
    "dateUpdated": "2024-09-16T16:38:14.758Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2021-101182

CVE-2021-42330 (GCVE-0-2021-42330)

Tags

Sightings

Nomenclature