CVE-2021-22860

EIC e-document system - Broken Authentication

CVSS 9.8 CRITICALEPSS 2.6%

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.8EPSS 2.6%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

17 Mar 2021Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

EIC e-document system does not perform completed identity verification for sorting and filtering personnel data. The vulnerability allows remote attacker to obtain users’ credential information without logging in the system, and further acquire the privileged permissions and execute arbitrary commends.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

Excellent Infotek Corporation · e-document system

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://gist.github.com/tonykuo76/17d497b3472a80a5e8914227e81e6fa3 https://www.chtsecurity.com/news/12929036-924b-4b89-8a0e-3e7155e19011 https://www.twcert.org.tw/tw/cp-132-4518-c813c-1.html