CVE-2021-22853 - Vulnerability Details - OpenCVE

The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user’s login information, further causing the login function not to work.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact None

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00265.

Key SSVC decision points have not yet been added.

Vendors	Products
Hr Portal Project	Hr Portal

Configuration 1 [-]

cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:*:*:*:*:*:*:*

No data.

No data.

Fixes

Solution

Update to version 7.3.2020.1110

Workaround

No workaround given by the vendor.

References

Link	Providers
https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e
https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: twcert

Published: 2021-02-17T13:30:19.537050Z

Updated: 2024-09-17T04:04:36.098Z

Reserved: 2021-01-06T00:00:00

Link: CVE-2021-22853

Vulnrichment

No data.

NVD

Status : Modified

Published: 2021-02-17T14:15:19.153

Modified: 2024-11-21T05:50:46.080

Link: CVE-2021-22853

Redhat

No data.

OpenCVE Enrichment

No data.

{"containers": {"cna": {"affected": [{"product": "HR Portal", "vendor": "Soar Cloud System Co., Ltd.", "versions": [{"status": "affected", "version": "0 7.3.2020.1013"}]}], "datePublic": "2021-02-17T00:00:00", "descriptions": [{"lang": "en", "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-284", "description": "CWE-284 Improper Access Control", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"dateUpdated": "2021-02-19T18:36:38", "orgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "shortName": "twcert"}, "references": [{"tags": ["x_refsource_MISC"], "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"}], "solutions": [{"lang": "en", "value": "Update to version 7.3.2020.1110"}], "source": {"advisory": "TVN-202101007", "discovery": "EXTERNAL"}, "title": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control", "x_generator": {"engine": "Vulnogram 0.0.9"}, "x_legacyV4Record": {"CVE_data_meta": {"AKA": "TWCERT/CC", "ASSIGNER": "cve@cert.org.tw", "DATE_PUBLIC": "2021-02-17T13:19:00.000Z", "ID": "CVE-2021-22853", "STATE": "PUBLIC", "TITLE": "Soar Cloud System Co., Ltd. HR Portal - Broken Access Control"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "HR Portal", "version": {"version_data": [{"version_affected": "=", "version_name": "0", "version_value": "7.3.2020.1013"}]}}]}, "vendor_name": "Soar Cloud System Co., Ltd."}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."}]}, "generator": {"engine": "Vulnogram 0.0.9"}, "impact": {"cvss": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "CWE-284 Improper Access Control"}]}]}, "references": {"reference_data": [{"name": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html", "refsource": "MISC", "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"}, {"name": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e", "refsource": "CONFIRM", "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"}]}, "solution": [{"lang": "en", "value": "Update to version 7.3.2020.1110"}], "source": {"advisory": "TVN-202101007", "discovery": "EXTERNAL"}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-03T18:51:07.564Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"}]}]}, "cveMetadata": {"assignerOrgId": "cded6c7f-6ce5-4948-8f87-aa7a3bbb6b0e", "assignerShortName": "twcert", "cveId": "CVE-2021-22853", "datePublished": "2021-02-17T13:30:19.537050Z", "dateReserved": "2021-01-06T00:00:00", "dateUpdated": "2024-09-17T04:04:36.098Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:hr_portal_project:hr_portal:7.3.2020.1013:*:*:*:*:*:*:*", "matchCriteriaId": "CC7A24E7-A9EE-4C23-AFD7-8CB76F13A56E", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "The HR Portal of Soar Cloud System fails to manage access control. While obtaining user ID, remote attackers can access sensitive data via a specific data packet, such as user\u2019s login information, further causing the login function not to work."}, {"lang": "es", "value": "El HR Portal de Soar Cloud System presenta un fallo al manejar el control de acceso. Mientras obtienen el ID del usuario, los atacantes remotos pueden acceder a datos confidenciales por medio de un paquete de datos espec\u00edfico, tal y como la informaci\u00f3n de inicio de sesi\u00f3n del usuario, causando que la funci\u00f3n de inicio de sesi\u00f3n no funcione"}], "id": "CVE-2021-22853", "lastModified": "2024-11-21T05:50:46.080", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 5.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "twcert@cert.org.tw", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2021-02-17T14:15:19.153", "references": [{"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"}, {"source": "twcert@cert.org.tw", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.chtsecurity.com/news/d334641f-2b28-4eab-a5ed-c6ec6740557e"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://www.twcert.org.tw/tw/cp-132-4403-8eb68-1.html"}], "sourceIdentifier": "twcert@cert.org.tw", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-284"}], "source": "twcert@cert.org.tw", "type": "Secondary"}, {"description": [{"lang": "en", "value": "NVD-CWE-Other"}], "source": "nvd@nist.gov", "type": "Primary"}]}