Vulnerability CVE-2021-42337


Published: 2021-11-16   Modified: 2021-11-17

Description:
The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user??s permission, the remote attacker can access account information except passwords by crafting URL parameters.

Type:

CWE-285

(Improper Authorization)

CVSS2 => (AV:N/AC:L/Au:S/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
4/10
2.9/10
8/10
Exploit range
Attack complexity
Authentication
Remote
Low
Single time
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None
Affected software
AIFU -> Cashier accounting management system 

 References:
https://www.twcert.org.tw/tw/cp-132-5296-cbf80-1.html

Copyright 2022, cxsecurity.com

 

Back to Top