RSS   Vulnerabilities for 'Flygo'   RSS

2021-08-09
 
CVE-2021-37211

CWE-79
 

 
The bulletin function of Flygo does not filter special characters while a new announcement is added. Remoter attackers can use the vulnerability with general user�??s credential to inject JavaScript and execute stored XSS attacks.

 
 
CVE-2021-37212

CWE-706
 

 
The bulletin function of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the bulletin ID in specific Url parameters and access and modify bulletin particular content.

 
 
CVE-2021-37213

CWE-706
 

 
The check-in record page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID and date in specific parameters to access particular employee�??s check-in record.

 
 
CVE-2021-37214

CWE-706
 

 
The employee management page of Flygo contains Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attackers can manipulate the employee ID in specific parameters to arbitrary access employee's data, modify it, and then obtain administrator privilege and execute arbitrary command.

 
 
CVE-2021-37215

CWE-706
 

 
The employee management page of Flygo contains an Insecure Direct Object Reference (IDOR) vulnerability. After being authenticated as a general user, remote attacker can manipulate the user data and then over-write another employee�??s user data by specifying that employee�??s ID in the API parameter.

 


Copyright 2024, cxsecurity.com

 

Back to Top