CVE-2021-42337 - The permission control of AIFU cashier management salary query function can be bypassed, thus after

CVE-2021-42337

Summary

The permission control of AIFU cashier management salary query function can be bypassed, thus after obtaining general user’s permission, the remote attacker can access account information except passwords by crafting URL parameters.

References

https://www.twcert.org.tw/tw/cp-132-5296-cbf80-1.html

Vulnerable Configurations

cpe:2.3:a:aifu:cashier_accounting_management_system:-:*:*:*:*:*:*:*
cpe:2.3:a:aifu:cashier_accounting_management_system:-:*:*:*:*:*:*:*

CVSS

Base:	4.0 (as of 09-08-2022 - 14:40)
Impact:
Exploitability:

CWE

NVD-CWE-Other

CAPEC

Access

Vector	Complexity	Authentication
NETWORK	LOW	SINGLE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:N/AC:L/Au:S/C:P/I:N/A:N

Last major update

09-08-2022 - 14:40

Published

16-11-2021 - 02:15

Last modified

09-08-2022 - 14:40